1. what are the tools available receiving tickets or incidents?
2. what are tools available to interact with server system?
3. what is the difference between weblogic and websphere?
4. what is the difference between websphere5.x,6.x?and what are extra features added in 6.x?
Thursday, December 25, 2008
Wednesday, December 24, 2008
Managing self-signed certificates (Sun Solaris)
In a development environment you may have to interact with self-signed certificates, which are used to secure the services you offer. To communicate with a secured service that presents a self-signed certificate, a client imports the certificate into a local truststore or certificate database. When I import a certificate, usually have to refer to the relevant man pages .... but I've done it enough times that jay decided to create a utility to automate the process. Here's a java CertificateManager netbeans project that can be used to import a self-signed certificate from a remote host into a java keystore of your choice.
Usage: java -jar CertificateManager.jar -url https://{hostname}:{port} [-keystore {keystore}] [-pw {password}]
default keystore: ${java.home}/lib/security/cacerts
default pw: changeit
In order for the CertificateManager to accept self-signed certificates itself, I found the very useful SSLUtilities.java class.
If you work with sun ldap/ssl directory server configurations that use self-signed certificates, you will know that the certificates used by ldap are stored in the mozilla-style certificate database, commonly created at /var/ldap on a native ldap client. The certutil command is used to administer the ldap certificate database; you can add your java keystore certificate to the ldap certificate database as follows:
# Import remote self-signed certificate into local java keystore
java -jar ../tools/CertificateManager.jar -url ${url} -keystore ${ks} -pw ${pw}
# export certificate in rfc-form for import into certificate database
keytool -list -rfc -keystore ${ks} -storepass ${pw} > selfsigned.pem
# import into /var/ldap certificate database
/usr/sfw/bin/certutil -A -n "${alias}" -i selfsigned.pem -a -t CT -d /var/ldap
Usage: java -jar CertificateManager.jar -url https://{hostname}:{port} [-keystore {keystore}] [-pw {password}]
default keystore: ${java.home}/lib/security/cacerts
default pw: changeit
In order for the CertificateManager to accept self-signed certificates itself, I found the very useful SSLUtilities.java class.
If you work with sun ldap/ssl directory server configurations that use self-signed certificates, you will know that the certificates used by ldap are stored in the mozilla-style certificate database, commonly created at /var/ldap on a native ldap client. The certutil command is used to administer the ldap certificate database; you can add your java keystore certificate to the ldap certificate database as follows:
# Import remote self-signed certificate into local java keystore
java -jar ../tools/CertificateManager.jar -url ${url} -keystore ${ks} -pw ${pw}
# export certificate in rfc-form for import into certificate database
keytool -list -rfc -keystore ${ks} -storepass ${pw} > selfsigned.pem
# import into /var/ldap certificate database
/usr/sfw/bin/certutil -A -n "${alias}" -i selfsigned.pem -a -t CT -d /var/ldap
Monday, December 22, 2008
WebSphere Security, WebSphere and Firewalls
WebSphere Security
By default, WebSphere is installed with its built-in security features disabled. You can configure and control WAS without authentication - and so can anyone else with access to the administration console or host system. WebSphere Security is a complex topic; you must read the Infocenter, the Security Redbook, and all related documents carefully before enabling it. Here is an overview of the subject.
Once enabled, WAS Security encrypts some connections in cells using SSL and limits administrative access to defined username/password combinations authenticated against a defined registry. It can also be leveraged by applications for user access control and authentication, and internal security.
WebSphere is installed with a default ("dummy") set of SSL certificates and keys. Ideally, these should be replaced with a new set generated with IBM's ikeyman utility before enabling Security. The certificate sets have to be installed on each node in a cell and any Web servers that use the HTTP Plugin to communicate with the cell.
WebSphere can use either the local OS password file, an LDAP server, or a custom registry to retrieve authentication details. Sample code is provided for a file-based custom registry, but IBM doesn't recommend using it in a production deployment.
WAS ND can only use LDAP or a custom registry for authentication. All nodes in the cell have to be able to access the registry.
WebSphere doesn't support replicated LDAP servers (you can only specify a single LDAP server address). Any LDAP server you use has to have a transparent high-availability mechanism.
Once Security is enabled, a user name and password must also be given as arguments when using wsadmin or the command scripts. If you write shell scripts around them to run unattended, you'll have to embed the user name and password details in them. Obviously, this makes such information less secure (although user actions can be restricted to one of four defined roles).
WebSphere products install with global file read permissions. However, many of the files within them should be protected from general user access, including the configuration repository (config/), the SSL key files (etc/), and possibly the logs (logs/). This means changing the default file permissions manually.
If the HTTP Plugin configuration file is automatically generated, it will include the URI for the administration console. You do not want this to be accessible on a production Web server. Copy and edit the file to remove it, and include an ACL rule on your Web servers blocking all external access to /admin/*.
It's worth considering whether careful firewalling and IP access controls that limit connections to a small defined set of addresses can effectively control administrative access without having to enable WAS Security with its attendant overheads and complexities. This is particularly true if your application uses its own authentication system rather than relying on WebSphere to provide security.
Minimum Security RecommendationThe following configuration enables the minimum amount of WAS Security, mainly to protect the administration functions, without significant overhead. It may not be sufficient for production environments.
Using the file-based custom registry example, create a flat file containing defined users for the Administrator and Operator roles. Use the former for the Administration Console and the latter for scripts that control WAS. Copy the file to all nodes in the cell and make sure that only the user ID under which WAS runs has read access. If you have an existing resilient LDAP infrastructure, you may want to use that instead.
Enable WAS Global Security and configure the registry details for the chosen method.
Run WAS processes under a non-root account with limited access rights and privileges. (See the Infocenter topic "Running the application server with a non-root user ID." This can also be done for the WAS ND Deployment Manager.)
Limit access to the WAS configuration, application, and log files using normal Unix file permissions and ownerships.
WebSphere and Firewalls
WebSphere Application Server on a single node is reasonably simple to firewall; just make sure that the Web server can reach the application server HTTP and HTTPS ports, and the application server can reach any backend services such as databases. Ideally production application servers and Web servers should be on separate, dedicated network segments in demilitarised zones (DMZs).
In a distributed cell with the deployment manager firewalled from the application nodes (which is recommended), a number of ports must be opened up between the two. Regrettably, this includes the default administration console port (9090), since it's shared with the filetransfer application that the application servers use to pull data. Hence you may still need WebSphere Security to protect the console (e.g., in the event of the application servers being compromised).
In a distributed cell with the deployment manager firewalled from the application nodes (which is recommended), a number of ports must be opened up between the two. Regrettably, this includes the default administration console port (9090), since it's shared with the filetransfer application that the application servers use to pull data. Hence you may still need WebSphere Security to protect the console (e.g., in the event of the application servers being compromised).
Table 1 shows the TCP ports that must be opened between node agents and the DMgr for management and initial node federation, together with the default port numbers following a standard installation. You should confirm the port assignments by examining the serverindex.xml files in the WAS configuration repository, or the details for each server in the administration console. Additional ports may be required when WAS Security is enabled.
Saturday, December 20, 2008
Design concepts (Java Concepts)
What's the difference between abstraction and encapsulation?
A: Abstraction and encapsulation are two quite separate concepts in Java. Abstraction is a technique that is used to represent common functionality amongst a set of classes. An analogy is to look at a set of vehicles: Car, Truck and Bus have some common features that all road vehicles share. From a Java perspective, the mechanics of turning four wheels, an engine, could be handled in abstract form through a common superclass. Abstraction allows subclasses to share common code without duplication.
What is the difference between static and dynamic polymorphism?
A: The term static polymorphism is associated with overloaded methods because it gives the impression that a single named method will accept a number of different argument types. The System.out.println() method is an example that may take String or Object references, boolean and other primitive types as an argument. In fact, each overloaded method is separate and the compiler can see the difference between them. In this case, the argument types are fixed at compile time and are considered static. This has nothing to do with the Java keyword static.
Dynamic polymorphism is where a class overrides a superclass method or implements an interface. For example, any class may override the Object.toString() method and provide its own implementation, and this is known at compile time. However, for a simple Java program that instantiates a series of objects and calls their toString() method, the compiler does not consider the object references differently. Any differences in the objects' toString() implementations are only seen at runtime, so they are considered dynamic.
Is println overloading or overriding?
A: The PrintWriter println() method is an example of overloading because several methods in the class have the same name and return the same type. In this case, println(boolean), println(int) and println(String) all have the same basic method name, "println", and all return void. The only part of the method signature that varies is the type of the argument (including none), which is enough for the Java interpreter to identify the appropriate method to call at runtime.
Does the order of the operands in == matter?
A: With this sort of question it is often easiest to try it yourself and see. You will find that single boolean comparisons are equivalent whichever way round you have the values.
From a reader's point of view most people would put the "unknown" variable first because it is the subject of the comparison, but syntactically it does not matter.
if (a == 10) { }
What are keywords and reserved words?
A: Java keywords are standard English words that have a special meaning in the Java programming language. Keywords include class, interface, abstract, public, static and final, which are used to declare the type and nature of Java compilation units. The statements used to define variables and method bodies include keywords new, return, if, while and throws. These words are interpreted by the Java compiler and used to produce byte code that can be run as a program.
A: Abstraction and encapsulation are two quite separate concepts in Java. Abstraction is a technique that is used to represent common functionality amongst a set of classes. An analogy is to look at a set of vehicles: Car, Truck and Bus have some common features that all road vehicles share. From a Java perspective, the mechanics of turning four wheels, an engine, could be handled in abstract form through a common superclass. Abstraction allows subclasses to share common code without duplication.
What is the difference between static and dynamic polymorphism?
A: The term static polymorphism is associated with overloaded methods because it gives the impression that a single named method will accept a number of different argument types. The System.out.println() method is an example that may take String or Object references, boolean and other primitive types as an argument. In fact, each overloaded method is separate and the compiler can see the difference between them. In this case, the argument types are fixed at compile time and are considered static. This has nothing to do with the Java keyword static.
Dynamic polymorphism is where a class overrides a superclass method or implements an interface. For example, any class may override the Object.toString() method and provide its own implementation, and this is known at compile time. However, for a simple Java program that instantiates a series of objects and calls their toString() method, the compiler does not consider the object references differently. Any differences in the objects' toString() implementations are only seen at runtime, so they are considered dynamic.
Is println overloading or overriding?
A: The PrintWriter println() method is an example of overloading because several methods in the class have the same name and return the same type. In this case, println(boolean), println(int) and println(String) all have the same basic method name, "println", and all return void. The only part of the method signature that varies is the type of the argument (including none), which is enough for the Java interpreter to identify the appropriate method to call at runtime.
Does the order of the operands in == matter?
A: With this sort of question it is often easiest to try it yourself and see. You will find that single boolean comparisons are equivalent whichever way round you have the values.
From a reader's point of view most people would put the "unknown" variable first because it is the subject of the comparison, but syntactically it does not matter.
if (a == 10) { }
What are keywords and reserved words?
A: Java keywords are standard English words that have a special meaning in the Java programming language. Keywords include class, interface, abstract, public, static and final, which are used to declare the type and nature of Java compilation units. The statements used to define variables and method bodies include keywords new, return, if, while and throws. These words are interpreted by the Java compiler and used to produce byte code that can be run as a program.
Design patterns (Java Concepts)
What is a singleton?
A: A singleton class is one in which instantiation is restricted to ensure that only one instance is created for the current Java Virtual Machine. Singletons usually have a private default constructor, to prevent direct instantiation, and a static method to obtain a "new" reference to the single instance. On its first call, the static instance method creates the object using a private constructor and stores a static reference to it for all subsequent calls.
What happens to singletons when two JVMs are running?
A: There is only one instance of a true singleton in a single virtual machine. If two virtual machines are running, two separate and independent instances of a singleton exist. If the singleton in question is governing access to the same system resource, there may be conflicts between the two systems, which is why the singleton design pattern is not ideal in this scenario
How do I format my price correctly?
A: Whenever you need to represent quantities that have specific formatting and equivalence requirements, it is best to use the Quantity design pattern. For a Money type, you can associate a Currency with the amount and can deal with all rounding issues in one class. Your money and currency types can then use generic rendering methods to show the amount however you choose.
What is a factory method?
A: A factory method is typically used to obtain a new instance of a class, which may be one of several alternate implementations. The return type of a factory method is an interface or superclass type, which gives it the freedom to govern the actual class that is returned through polymorphism. This design pattern enables the factory to control and encapsulate the logic used to decide which instance to return.
How should I create an immutable class?
A: An immutable class is one whose field values cannot be altered after instantiation, so all variable values must be assigned in the constructor and may therefore be declared final. By definition an immutable class should not have any modifier methods, but you must also be careful that the constructor and accessor methods do not expose mutable field references.
A: A singleton class is one in which instantiation is restricted to ensure that only one instance is created for the current Java Virtual Machine. Singletons usually have a private default constructor, to prevent direct instantiation, and a static method to obtain a "new" reference to the single instance. On its first call, the static instance method creates the object using a private constructor and stores a static reference to it for all subsequent calls.
What happens to singletons when two JVMs are running?
A: There is only one instance of a true singleton in a single virtual machine. If two virtual machines are running, two separate and independent instances of a singleton exist. If the singleton in question is governing access to the same system resource, there may be conflicts between the two systems, which is why the singleton design pattern is not ideal in this scenario
How do I format my price correctly?
A: Whenever you need to represent quantities that have specific formatting and equivalence requirements, it is best to use the Quantity design pattern. For a Money type, you can associate a Currency with the amount and can deal with all rounding issues in one class. Your money and currency types can then use generic rendering methods to show the amount however you choose.
What is a factory method?
A: A factory method is typically used to obtain a new instance of a class, which may be one of several alternate implementations. The return type of a factory method is an interface or superclass type, which gives it the freedom to govern the actual class that is returned through polymorphism. This design pattern enables the factory to control and encapsulate the logic used to decide which instance to return.
How should I create an immutable class?
A: An immutable class is one whose field values cannot be altered after instantiation, so all variable values must be assigned in the constructor and may therefore be declared final. By definition an immutable class should not have any modifier methods, but you must also be careful that the constructor and accessor methods do not expose mutable field references.
Object design (Java Concepts)
Object design
What's the difference between a class and an object in Java?
A: A Java class is a definition or model of an object type. A class has a specific set of fields, methods and constructors with distinct argument types. Any object that fulfils a class definition directly or by inheritance has a set of properties and behaviour that is common to all instances of the class. In this sense, a class is like a set of things that are alike.
In Java concrete classes also provide a code implementation that can be instantiated to create an object reference. An instance of a class directly fulfils the its own definition, it also fulfils any superclass definitions too.
The Java Virtual Machine creates static references to classes when it runs a Java program. Classloaders make the public static fields and methods of classes available to the runtime system whether any instance exists or not. When a constructor is called, the class returns an instance of the object it represents.
What is an object in Java?
A: In Java the Object class is the ultimate superclass of every other object type. All objects are extended from the Object class, either directly or by inheritance through any number of parent classes. If a class does not explicitly extend any named class, it implicitly extends the Object class. An object with a small o is the word used to describe an instance of a Java class.
What is the difference between a method header and its signature?
A: A Java method header is the whole declaration statement for a method before its curly braces. The header includes the method's visibility modifier, return type, arguments and exceptions, as below.
public final String getDetails(final File file,
final String key) throws IOException
A Java method signature is the method name and parameters only. The order of the parameters is significant because they may distinguish overloaded methods by the same name.
getDetails(File, String)
Can I use the same variable name in two methods?
A: It is possible to use the same variable names for method local variables in two separate methods. However, all variables in a single method must have different names.
public class MethodLocalVariables {
void testOne() {
int test;
}
void testTwo() {
int test;
}
}
Can objects be used in place of arrays?
A: Yes, sometimes it is sensible to use an object to carry other object references instead of an array. For instance, you could issue an object as the return value of a method that must return multiple object references.
What's the difference between equals and ==?
A: The Java == operator is used to compare primitive values such as int, long and boolean for equality; whether the variables, values or expression on either side of the operator equate to the same value.
What's the difference between a class and an object in Java?
A: A Java class is a definition or model of an object type. A class has a specific set of fields, methods and constructors with distinct argument types. Any object that fulfils a class definition directly or by inheritance has a set of properties and behaviour that is common to all instances of the class. In this sense, a class is like a set of things that are alike.
In Java concrete classes also provide a code implementation that can be instantiated to create an object reference. An instance of a class directly fulfils the its own definition, it also fulfils any superclass definitions too.
The Java Virtual Machine creates static references to classes when it runs a Java program. Classloaders make the public static fields and methods of classes available to the runtime system whether any instance exists or not. When a constructor is called, the class returns an instance of the object it represents.
What is an object in Java?
A: In Java the Object class is the ultimate superclass of every other object type. All objects are extended from the Object class, either directly or by inheritance through any number of parent classes. If a class does not explicitly extend any named class, it implicitly extends the Object class. An object with a small o is the word used to describe an instance of a Java class.
What is the difference between a method header and its signature?
A: A Java method header is the whole declaration statement for a method before its curly braces. The header includes the method's visibility modifier, return type, arguments and exceptions, as below.
public final String getDetails(final File file,
final String key) throws IOException
A Java method signature is the method name and parameters only. The order of the parameters is significant because they may distinguish overloaded methods by the same name.
getDetails(File, String)
Can I use the same variable name in two methods?
A: It is possible to use the same variable names for method local variables in two separate methods. However, all variables in a single method must have different names.
public class MethodLocalVariables {
void testOne() {
int test;
}
void testTwo() {
int test;
}
}
Can objects be used in place of arrays?
A: Yes, sometimes it is sensible to use an object to carry other object references instead of an array. For instance, you could issue an object as the return value of a method that must return multiple object references.
What's the difference between equals and ==?
A: The Java == operator is used to compare primitive values such as int, long and boolean for equality; whether the variables, values or expression on either side of the operator equate to the same value.
Language features (Java Concepts)
Language features
Is Java a fully object oriented language?
A: Java is an object oriented language, but there is no standard that defines a "fully" object oriented language, it is a matter of definition and opinion
What are Java types are available?
A: There are two main divisions of data types in Java: object and primitive types. Object types are declared according to their class.
Object object = new Object();
Objects can also be cast to a more general superclass or interface type. This is known as polymorphism, which means the object behaves like, and can be treated as, an instance of the more general type.
// Type cast
Object object = new StringBuffer("Example");
// Interface
Comparable object = new File("c:\Example.txt");
What's the difference between the Java versions?
A: The major release versions of the Sun Java Software Development Kit (SDK, also known as the JDK) include significant API changes that provide extra programming features built upon the core Java software platform. That means that the basic features of the Java language do not change from one release to the next, so most existing programs will run successfully when compiled with the new SDK.
Some core packages may gain additional features in new Java releases, but it is very rare for established API features to be removed, which would break backwards compatibility. Superseded or problematic API methods are usually marked deprecated before they are removed altogether, to give programmers the chance to upgrade their code to the new standard. Deprecated classes and methods can still be used to develop and run Java programs, but the compiler will issue warnings.
What is the return type in Java?
A: All Java methods must declare a return type, which may be an object reference, primitive value or void. The void return declaration means that no value is returned, control is simply returned to the calling class. Methods with non-void return types must ensure that the appropriate object reference or primitive value is returned when the method completes. The method return value is like a message and often represents a property of the object, the product of a calculation or algorithm or a text output for instance.
What's the difference between checked and un-checked exceptions?
A: A Java checked exception represents a problematic case that can be anticipated when one instantiates an object or calls a method. A typical example is when you attempt to create a file or open a URL connection, which may fail for many reasons. Checked exceptions must be declared in the throws statement of a method header, and any class that calls the method must ensure that it handles all checked exceptions that may occur.
What is dynamic method dispatch?
A: Dynamic method dispatch is the process the Java runtime system uses to determine which method implementation to call in an inheritance hierarchy. For example, the Object class has a toString() method that all subclasses inherit, but the String class overrides this method to return its string content. If a String or other object type is assigned to an Object reference using application logic, the Java compiler cannot know in advance where a call to the toString() method will be resolved, it must be determined dynamically at runtime.
Memory allocation (Java Concepts)
How do I find the size of an object in Java?
A: There is no direct management of the storage size of code that is held in memory by the Java Virtual Machine (JVM). The virtual machine manages the allocation and de-allocation of storage through an integral garbage collection system. The JVM keeps track of all object references and periodically disposes of de-referenced objects to free memory.
It is possible to check the overall memory use of a Java application with methods in the java.lang.Runtime class. The freeMemory() method returns the spare memory available to the runtime system, the totalMemory() method reports the total memory allocated to the virtual machine.
What part of memory is used for interfaces and abstract classes?
A: Interfaces and abstract classes are part of the application programming interface for the Java language, but are never instantiated in their own right when a Java program is run. Only objects are instantiated in the Java Runtime Environment (JRE) and held in a division of the program's memory allocation called the heap. Stack memory holds primitive values and the memory addresses of objects on the heap.
A: There is no direct management of the storage size of code that is held in memory by the Java Virtual Machine (JVM). The virtual machine manages the allocation and de-allocation of storage through an integral garbage collection system. The JVM keeps track of all object references and periodically disposes of de-referenced objects to free memory.
It is possible to check the overall memory use of a Java application with methods in the java.lang.Runtime class. The freeMemory() method returns the spare memory available to the runtime system, the totalMemory() method reports the total memory allocated to the virtual machine.
What part of memory is used for interfaces and abstract classes?
A: Interfaces and abstract classes are part of the application programming interface for the Java language, but are never instantiated in their own right when a Java program is run. Only objects are instantiated in the Java Runtime Environment (JRE) and held in a division of the program's memory allocation called the heap. Stack memory holds primitive values and the memory addresses of objects on the heap.
Sunday, September 21, 2008
ITIL v3 and the Continual Service Improvement Model: A Strategy for Optimizing Value, Quality and Performance
Today, more than ever, IT must tightly align with the business. IT performance is tied to business performance: Every person-hour and every dollar must be allocated to deliver maximum business value. IT now provides much of the value the business offers its customers—as well as the effectiveness with which it works with its supply chain and business partners.
IT also must respond more quickly than ever to new and evolving business requirements. Two-year development cycles simply no longer work. So, alignment must be attained and maintained with tremendous agility.
Tight, timely business alignment can be achieved with the right strategies and tools. The IT Information Library (ITIL), originally designed by the British government to codify best practices and approaches to systems management, provides some of the industry’s most important guidance for maintaining alignment. Disciplined mainframe systems management—the structured adherence to change management, disaster recovery planning, testing and deployment—formed the basis for the development of ITIL. Although these processes had been long established in the mainframe world, they were still new to distributed systems. ITIL bridged that gap, offering a solution for all architectures.
This article focuses on one aspect of ITIL—continual service improvement—as it relates to mainframe systems management and the alignment of IT with the business. It’s based on the experiences of top IT organizations that have successfully implemented continual service improvement best practices in the mainframe environment. By learning from these experiences, IT organizations can effectively optimize the total business value they generate.
ITIL: Making IT Work
Business depends on IT. IT staff have technical skills and certifications, but their job isn’t to simply write code and maintain server performance. It’s to align with business goals to fuel growth and innovation. And that reflects a change in thinking from years past.
In describing his role 10 years ago, for example, the manager of IT support for a leading aerospace contractor probably would have focused on his coding expertise, certifications on systems and networks, and the number of patents he holds. Today, he speaks of business metrics and goals—and his team’s performance is measured by their response to business needs: “I manage a major service and support function for an enterprise,” he says. “It just happens to be IT.”
IT staff must be fully aware of the business needs and be completely focused on addressing ongoing service requirements. This can be achieved through the kind of proven best practices for which ITIL provides excellent guidance. The latest iteration of ITIL, version 3 (v3), outlines an approach for making IT as much a part of the business as an assembly line or a warehouse. ITIL v3 states that “capabilities and resources in the management of IT and the management of services are no longer perceived as merely operational concern or detail.”
In other words, IT services aren’t special services governed by their own arcane rules, as they were previously assumed to be. They deliver services that must be managed like all other business services—with attention to business goals, risks, service levels, and the bottom line. They also must be highly adaptable, enabling IT to rapidly respond to the changing business environment. Instead of being merely “cost centers,” IT services must be integral components of profit centers, providing the capability to increase revenue.
ITIL v3 explicitly supports the application of contemporary QA strategies to IT, especially in its fifth book—which addresses “continual service improvement” (see sidebar titled “ITIL v3: The Service Lifecycle”). A hallmark of present-day business management, Total Quality Management, Six Sigma, ISO 9000, QS9000, and Lean Manufacturing all rely on identifying and fostering a continuous cycle of planning, testing, implementation, and evaluation. ITIL was built upon one of the first descriptions of this cycle, the Deming Cycle (Plan, Do, Check, Act).
ITIL has always proposed that IT should think in terms of delivering services to the business—rather than implementing and maintaining the various “moving parts” of the enterprise IT environment. In practice, however, this message was often lost. In many cases, ITIL programs began and ended at the service desk, where ITIL practices were easily applied and yielded quick, but incomplete ROI. The next steps, which promised greater financial return, usually weren’t implemented because they required more significant shifts in thinking and behavior. They include managing change, development, and planning.
However, the few “early adopters” who’ve been able to change their approach and implement ITIL more fully have shown the business value of making the leap. Documented case studies of increased quality, higher availability, and better price-performance have validated the importance of making this seismic shift in IT strategy.
CMDB: At the Heart of Quality-of-Service Initiatives
To address the quality issue, ITIL v3 places increased emphasis on the Configuration Management System (CMS), which includes the creation and maintenance of Configuration Management Databases (CMDBs). One of the goals of the CMS with the CMDB implementation is to increase uptime by decreasing the time it takes to restore services. Uncontrolled and untested changes and configurations are a major cause of substantial interruptions or slowdowns in service. They also can be an obstacle to planning and implementing new services. The CMDB can show the business context of services by providing visibility about relationships between entities and their underpinning components—which can be system resources, applications, and services, among other things. As a result, it can be at the heart of quality-of-service initiatives, where premium services can be offered at a premium price, and offerings can be readily changed as business needs dictate.
The ultimate goal is to follow the example of leaders such as Amazon and Google in adapting technology to business, using IT to generate new revenue sources and levels of productivity. Although these companies opted for distributed servers (largely Unix and Windows), large enterprises have found the mainframe to be the optimal platform for generating new revenue streams. IBM has continued to modernize the mainframe so it offers newer capabilities such as WebSphere, SOA and Web services, while continuing to lead in Reliability, Availability, and Scalability (RAS)—as well as in price-performance, reduced energy consumption, and environmental impact. ITIL v3 promises to enhance this already compelling value proposition through the continual improvement cycle that keeps business goals in focus at every stage and IT involved at every point in the process (see sidebar titled “Traditional IT Management Systems in the Service Lifecycle”).
A Service-Centric View of Systems Infrastructure
Continual improvement requires that business services be followed through their entire service lifecycle. The philosopher George Santayana once wrote, “Those who do not remember the past are condemned to repeat it.” The same principle applies to service improvement in IT: Enterprises that don’t track and use all the information they can maintain about the services they provide to the business are condemned to keep repeating the same mistakes.
But how can IT organizations best create and preserve this knowledge?
The difficulty of this challenge has deep roots in the IT industry. IT professionals are highly trained engineers. Without their specialized knowledge and experience, IT infrastructure would come to a crashing halt. But depth of technical expertise is rarely matched with breadth of knowledge about how IT as a whole supports the business. A network engineer with detailed knowledge of the latest in switching and routing technology, for example, may have little interest or knowledge of the applications that use the networking services his group provides. He or she may have even less interest in the business rationale for the existence of those services. Similarly, performance analysts watch server and transaction performance, but may not understand how those performance metrics affect the actual end-user experience—which is ultimately what matters to the business.
This narrowness of focus is understandable. Attaining and maintaining competence in a specialized discipline such as network engineering is no easy task. But a stovepipe approach to IT management is one of the things that works against business alignment. And such an approach can become especially problematic when services cross mainframe and distributed systems.
Stovepipe specialization makes continual improvement very challenging. Was a rollout issue a problem in the way the design was communicated to the development team? A flaw in the design? Inadequate funding for staff or training? Was a persistent problem in production the result of a faulty design or misinterpreted priorities in operations?
To answer these questions, it’s essential to understand a service’s entire design process or history. This is one of the central lessons of ITIL: Strategy, design, transition, and operations all must contribute to continual service improvement. To achieve this, mainframe and distributed systems can’t be treated as separate silos. They must be incorporated into a holistic view of the various business services they support.
Summary
ITIL v3 and the continual service improvement model offer a way to achieve ongoing optimization of value, quality, and performance. If you’re looking to improve quality of your services, while increasing the ability to dynamically manage them, this may be the part of ITIL to focus on now.
IT also must respond more quickly than ever to new and evolving business requirements. Two-year development cycles simply no longer work. So, alignment must be attained and maintained with tremendous agility.
Tight, timely business alignment can be achieved with the right strategies and tools. The IT Information Library (ITIL), originally designed by the British government to codify best practices and approaches to systems management, provides some of the industry’s most important guidance for maintaining alignment. Disciplined mainframe systems management—the structured adherence to change management, disaster recovery planning, testing and deployment—formed the basis for the development of ITIL. Although these processes had been long established in the mainframe world, they were still new to distributed systems. ITIL bridged that gap, offering a solution for all architectures.
This article focuses on one aspect of ITIL—continual service improvement—as it relates to mainframe systems management and the alignment of IT with the business. It’s based on the experiences of top IT organizations that have successfully implemented continual service improvement best practices in the mainframe environment. By learning from these experiences, IT organizations can effectively optimize the total business value they generate.
ITIL: Making IT Work
Business depends on IT. IT staff have technical skills and certifications, but their job isn’t to simply write code and maintain server performance. It’s to align with business goals to fuel growth and innovation. And that reflects a change in thinking from years past.
In describing his role 10 years ago, for example, the manager of IT support for a leading aerospace contractor probably would have focused on his coding expertise, certifications on systems and networks, and the number of patents he holds. Today, he speaks of business metrics and goals—and his team’s performance is measured by their response to business needs: “I manage a major service and support function for an enterprise,” he says. “It just happens to be IT.”
IT staff must be fully aware of the business needs and be completely focused on addressing ongoing service requirements. This can be achieved through the kind of proven best practices for which ITIL provides excellent guidance. The latest iteration of ITIL, version 3 (v3), outlines an approach for making IT as much a part of the business as an assembly line or a warehouse. ITIL v3 states that “capabilities and resources in the management of IT and the management of services are no longer perceived as merely operational concern or detail.”
In other words, IT services aren’t special services governed by their own arcane rules, as they were previously assumed to be. They deliver services that must be managed like all other business services—with attention to business goals, risks, service levels, and the bottom line. They also must be highly adaptable, enabling IT to rapidly respond to the changing business environment. Instead of being merely “cost centers,” IT services must be integral components of profit centers, providing the capability to increase revenue.
ITIL v3 explicitly supports the application of contemporary QA strategies to IT, especially in its fifth book—which addresses “continual service improvement” (see sidebar titled “ITIL v3: The Service Lifecycle”). A hallmark of present-day business management, Total Quality Management, Six Sigma, ISO 9000, QS9000, and Lean Manufacturing all rely on identifying and fostering a continuous cycle of planning, testing, implementation, and evaluation. ITIL was built upon one of the first descriptions of this cycle, the Deming Cycle (Plan, Do, Check, Act).
ITIL has always proposed that IT should think in terms of delivering services to the business—rather than implementing and maintaining the various “moving parts” of the enterprise IT environment. In practice, however, this message was often lost. In many cases, ITIL programs began and ended at the service desk, where ITIL practices were easily applied and yielded quick, but incomplete ROI. The next steps, which promised greater financial return, usually weren’t implemented because they required more significant shifts in thinking and behavior. They include managing change, development, and planning.
However, the few “early adopters” who’ve been able to change their approach and implement ITIL more fully have shown the business value of making the leap. Documented case studies of increased quality, higher availability, and better price-performance have validated the importance of making this seismic shift in IT strategy.
CMDB: At the Heart of Quality-of-Service Initiatives
To address the quality issue, ITIL v3 places increased emphasis on the Configuration Management System (CMS), which includes the creation and maintenance of Configuration Management Databases (CMDBs). One of the goals of the CMS with the CMDB implementation is to increase uptime by decreasing the time it takes to restore services. Uncontrolled and untested changes and configurations are a major cause of substantial interruptions or slowdowns in service. They also can be an obstacle to planning and implementing new services. The CMDB can show the business context of services by providing visibility about relationships between entities and their underpinning components—which can be system resources, applications, and services, among other things. As a result, it can be at the heart of quality-of-service initiatives, where premium services can be offered at a premium price, and offerings can be readily changed as business needs dictate.
The ultimate goal is to follow the example of leaders such as Amazon and Google in adapting technology to business, using IT to generate new revenue sources and levels of productivity. Although these companies opted for distributed servers (largely Unix and Windows), large enterprises have found the mainframe to be the optimal platform for generating new revenue streams. IBM has continued to modernize the mainframe so it offers newer capabilities such as WebSphere, SOA and Web services, while continuing to lead in Reliability, Availability, and Scalability (RAS)—as well as in price-performance, reduced energy consumption, and environmental impact. ITIL v3 promises to enhance this already compelling value proposition through the continual improvement cycle that keeps business goals in focus at every stage and IT involved at every point in the process (see sidebar titled “Traditional IT Management Systems in the Service Lifecycle”).
A Service-Centric View of Systems Infrastructure
Continual improvement requires that business services be followed through their entire service lifecycle. The philosopher George Santayana once wrote, “Those who do not remember the past are condemned to repeat it.” The same principle applies to service improvement in IT: Enterprises that don’t track and use all the information they can maintain about the services they provide to the business are condemned to keep repeating the same mistakes.
But how can IT organizations best create and preserve this knowledge?
The difficulty of this challenge has deep roots in the IT industry. IT professionals are highly trained engineers. Without their specialized knowledge and experience, IT infrastructure would come to a crashing halt. But depth of technical expertise is rarely matched with breadth of knowledge about how IT as a whole supports the business. A network engineer with detailed knowledge of the latest in switching and routing technology, for example, may have little interest or knowledge of the applications that use the networking services his group provides. He or she may have even less interest in the business rationale for the existence of those services. Similarly, performance analysts watch server and transaction performance, but may not understand how those performance metrics affect the actual end-user experience—which is ultimately what matters to the business.
This narrowness of focus is understandable. Attaining and maintaining competence in a specialized discipline such as network engineering is no easy task. But a stovepipe approach to IT management is one of the things that works against business alignment. And such an approach can become especially problematic when services cross mainframe and distributed systems.
Stovepipe specialization makes continual improvement very challenging. Was a rollout issue a problem in the way the design was communicated to the development team? A flaw in the design? Inadequate funding for staff or training? Was a persistent problem in production the result of a faulty design or misinterpreted priorities in operations?
To answer these questions, it’s essential to understand a service’s entire design process or history. This is one of the central lessons of ITIL: Strategy, design, transition, and operations all must contribute to continual service improvement. To achieve this, mainframe and distributed systems can’t be treated as separate silos. They must be incorporated into a holistic view of the various business services they support.
Summary
ITIL v3 and the continual service improvement model offer a way to achieve ongoing optimization of value, quality, and performance. If you’re looking to improve quality of your services, while increasing the ability to dynamically manage them, this may be the part of ITIL to focus on now.
Wednesday, May 21, 2008
WebSphere Express in a VMware guest - Cloning
I am sure that you can save lot of time & efforts if you proceed
installing WAS after the clone.
installing WAS after the clone.
Khaja.
On May 21, 2:14 am, tim.w...@schwans.com wrote:
> We are getting ready to deploy a new site, using WebSphere Express hosted in a VMware ESX environment. One of the nice features of VMware guests is that one can clone a machine; I'd like to be able to build on instance of my host machine and then clone additional from there.
>
> The hosts will be running RHEL v.4 Update 6, WAS Express 6.1 and Apache Web Server. I can clone the first instance, and re-naming the OS is quite simple; here's my question. If I install WAS before the clone, is there a way to reconfigure the install to use the new machine name for the server/cell/etc? Is there a list of files that contain the name I can edit, or an administrative task I can perform? Or am I best off doing the clone before the install? I am working on building the response files for the installation(s) and I could have the necessary files ready and actually probably script the install, but as always, I am looking for the option that will give me the best/quickest results.
>
> Thanks in advance.
>
> Tim
Sunday, May 18, 2008
MQ Link
From: scag...@us.ibm.com
Date: May 16, 4:12 pm
Subject: MQ Link
To: ibm.software.websphere.application-server
Date: May 16, 4:12 pm
Subject: MQ Link
To: ibm.software.websphere.application-server
I just set up an MQ link using the following doc:
http://www.ibm.com/developerworks/forums/thread.jspa?
threadID=178523&tstart=0&messageID=14016821
I did not secure the link, becuase I do not need SSL security
How do I test the link (other than using a MDB)
Can I view MQ files from within WAS using the MQ link. Can I see the
contents or view the number of messages on the queue.
If not, in what way can I test the MQ link ?
Fwd: Best Practices
ibm.software.websphere.application-server
Ok, here's the short story. I work at a place where we use Websphere
Application Server with Oracle. Our environment consists of around 8
servers, each with Websphere along with one of the servers as Oracle.
Our architects along with help from IBM originally setup these WAS
servers to use the IP Address instead of a hostname or FQHN, etc.
Since these clusters are setup on a private LAN to talk to one
another, this works how it is. We usually have them talking with one
another either thru their own switch or VLAN, using IP Addresses.
We have a partnership with another company who does testing (sort of
like our QA department) and they hired this guy who claims he knows
everything that takes the servers we setup and installs/integrates it
into their environment to test. Even though he's never touched
websphere before he got hired, he's now trying to demans we change our
long process of using FQHN instead, saying it's best practice and
claims that IBM Websphere documentation says to avoid using IP
Addresses, even though IBM from the beginning helped us setup our
clusters with IP Addresses. (To make that portion short, our actual
client who uses this environment will not allow a separate DNS for
FQHN). I also believe that if you want to go by best practices, you
would skip setting these up using the /etc/hosts like this guy wants
done on each server but this is just making a simple setup more
complicated cause we gave them a new cluster and they refuse to put
the backend IP Addresses we used on its own VLAN or buy a switch.
Can anyone tell me if there's any documentation that actually states
in writing that IBM says to avoid using IP addresses when setting up
WAS, even though I've seen some documentation use IP Addresses instead
of hostnames when setting up clusters?
And trust me, I've been a Unix admin for a long time, I understand
"best practices" but I also believe in, "if it isn't broke, don't fix
it". I have a case against this guys demands so we don't have to
change our whole process of delivery and we want their test
environment exactly how production is setup but I hate it when people
might be blurting out things that aren't necessarily true.
Thanks.
Newsgroups: ibm.software.websphere.application-server
From: "Ben_" <re...@newsgroup.com>
Date: Sat, 17 May 2008 09:27:51 +0200
Local: Sat, May 17 2008 3:27 am
Subject: Re: Best Practices
they hired this guy who claims he knows everything
Exporting your frustation here won't help... :-)
> saying it's best practice and claims that IBM Websphere documentation says
> to avoid using IP Addresses
Generally speaking, it's indeed recommended to use DNS aliases instead
of IP
addresses or real hostname for the flexibility it brings in terms of
network
and system management.
A drawback of this I can think of is that it opens the server to DNS
spoofing attacks.
> even though IBM from the beginning helped us
It's not a guarantee. I saw IBM consultants do weird things to say
the
least... :-)
> they refuse to put the backend IP Addresses we used on its own VLAN or buy
> a switch.
I don't understand what you mean here.
If they prefer to use hostname, they can put it in your/their DNS.
> Can anyone tell me if there's any documentation that actually states in
> writing that IBM says to avoid using IP addresses when setting up WAS,
> even though I've seen some documentation use IP Addresses instead of
> hostnames when setting up clusters?
There is enough formal documentation where use of IP or hostname are
mentionned, be it in Technotes or InfoCenter.
E.g. this Technote explains how to change it:
http://www-1.ibm.com/support/docview.wss?uid=nas1c6cf048cd783df7b8625....
Thursday, May 15, 2008
WebSphere Technical Exchange Webcast
WebSphere Application Server Administration with Jython
Presenter(s): Bob Gibson
Time: 28 May 2008, 11 AM EDT (GMT-4)
Presenter(s): Bob Gibson
Time: 28 May 2008, 11 AM EDT (GMT-4)
Insufficient WebSphere® Application Server administrative scripting
examples written in Jython are available for review and learning.
Techniques, idioms, and some complete Jython scripts will be
described, discussed, and made available.
Please call into the phone conference and join the e-meeting 10
minutes early.
Web conference
URL:
Password: wste28may
Phone conference
Confirmation number: 4249220
US Toll-free number: 888-293-6953
International number: 719-325-2177
IBM only tie-line: 650-2041
Belgium 0800-75239
Denmark 8088-6220
France 0800-903255
Germany 0800-181-9023
Italy 800-873-740
Netherlands 0800-023-5304
Norway 800-19666
Portugal 800-819-729
Spain 900-947-605
Sweden 02-079-0880
Switzerland 0800-564-398
South Africa 0800-980-989
United Kingdom 0808-101-1147
Wednesday, May 14, 2008
Unable to start MDB Listener... ..javax.security.auth.login.LoginException
From: lna...@us.ibm.com
Date: May 14, 6:33 pm
Subject: Unable to start MDB
Listener... ..javax.security.auth.login.LoginException
To: ibm.software.websphere.application-server
Date: May 14, 6:33 pm
Subject: Unable to start MDB
Listener... ..javax.security.auth.login.LoginException
To: ibm.software.websphere.application-server
Problem when I start application containing MDBs & ListenerPorts. 5
MDBs tied to 5 ListenerPorts within the application, 4 MDBs/
ListenerPorts start fine with no problem, 5th causes the following
exception and then stops the ListenerPort. Problem occurs whether
Global Security is turned on or off.
I am using WAS ND v6.1.0.13
5/14/08 9:03:40:921 EDT 0000001c MDBListenerIm W WMSG0019E: Unable
to start MDB Listener ProcessSubmission, JMSDestination jms/
Q_SubmissionReceipt : java.security.PrivilegedActionException:
javax.security.auth.login.LoginException: No LoginModules configured
for
at
com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.jav
a:12 2)
at
com.ibm.ejs.jms.listener.MDBListenerImpl.createResources(MDBListenerImpl.ja
va:3 67)
at
com.ibm.ejs.jms.listener.MDBListenerImpl.internalStart(MDBListenerImpl.java:
727 )
at
com.ibm.ejs.jms.listener.MDBListenerImpl.start(MDBListenerImpl.java:
650)
at
com.ibm.ejs.jms.listener.MDBListenerManagerImpl.start(MDBListenerManagerImp
l.ja va:634)
at
com.ibm.ejs.jms.listener.MsgListenerPort.add(MsgListenerPort.java:227)
at
com.ibm.ejs.jms.listener.MDBListenerManagerImpl.startApplicationMDBs(MDBLis
tene rManagerImpl.java:872)
at
com.ibm.ejs.jms.listener.MDBListenerManagerImpl.stateChanged(MDBListenerMan
ager Impl.java:830)
at
com.ibm.ws.runtime.component.MessageListenerImpl.stateChanged(MessageListen
erIm pl.java:188)
at
com.ibm.ws.runtime.component.ApplicationMgrImpl.stateChanged(ApplicationMgr
Impl .java:1253)
at
com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectEven
t(De ployedApplicationImpl.java:1148)
at
com.ibm.ws.runtime.component.DeployedApplicationImpl.setState(DeployedAppli
cati onImpl.java:243)
at
com.ibm.ws.runtime.component.DeployedApplicationImpl.setState(DeployedAppli
cati onImpl.java:238)
at
com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicat
ionI mpl.java:844)
at
com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(Applicatio
nMgr Impl.java:950)
at com.ibm.ws.runtime.component.ApplicationMgrImpl
$AppInitializer.run(ApplicationM grImpl.java:2120)
at com.ibm.wsspi.runtime.component.WsComponentImpl
$_AsynchInitializer.run(WsCompon entImpl.java:342)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1469)
This seems to have worked fine in my RSA development environment
running against a WAS v6.1 (non-ND) server but is failing once
deployed to the WAS ND v6.1.0.13 server environment.
Has anyone seen this before or can provide any suggestions/solutions?
Could this be due to some code/action unique to the failing MDB?
Newsgroups: ibm.software.websphere.application-server
From: Infyniti <infyn...@gmail.com>
Date: Wed, 14 May 2008 09:52:59 EDT
Local: Wed, May 14 2008 6:52 pm
Subject: Re: Unable to start MDB
Listener... ..javax.security.auth.login.LoginException
lnayda wrote:
Problem when I start application containing MDBs & ListenerPorts. 5
MDBs tied to 5 ListenerPorts within the application, 4 MDBs/
ListenerPorts start fine with no problem, 5th causes the following
exception and then stops the ListenerPort. Problem occurs whether
Global Security is turned on or off.
Does the JAAS alias for the queue connection factory for the 5th MDB
is same as the rest of them.
If yes, then check if the id has access to the queue. Also double
check both the QCF and QD attributes for that MDB.
Thanks
Anant
Newsgroups: ibm.software.websphere.application-server
From: lna...@us.ibm.com
Date: Wed, 14 May 2008 11:10:48 EDT
Local: Wed, May 14 2008 8:10 pm
Subject: Re: Unable to start MDB
Listener... ..javax.security.auth.login.LoginException
By setting the "Mapping-configuration alias" to
"DefaultPricipalMapping" on the 5th MDB it now works.
I'm not sure why it is acting this way because even though the MQ
security attributes for the 4th Queue and the configuration of the MDB/
ListenerPort is identical to the 5th, I only had problems on the 5th
and needed to set the "Mapping-configuration alias" on the 5th to cure
this problem. ???
"Mapping-configuration alias" is (none) on the 4th but it is working
fine.
Happy that it works now, and thank you for your advice and
assistance.
Re: Question about the Trial and Beta version of WebSphere
On May 14, 7:42 pm, jmarch...@cobbcounty.org wrote:
> Does anyone know if the trial can be reinstalled once the time is up? I'm only interested in using it to learn. Reinstalling can only help me. Not trying to circumvent any license. I don't know what it says. Or, does anyone know if the beta is "crippled" in any way? I would simply use the community edition, but it is lacking functionality like portlets. I can use it to create the applications and test, but I need to learn to use the real product.
>
> Thanks.
> Does anyone know if the trial can be reinstalled once the time is up? I'm only interested in using it to learn. Reinstalling can only help me. Not trying to circumvent any license. I don't know what it says. Or, does anyone know if the beta is "crippled" in any way? I would simply use the community edition, but it is lacking functionality like portlets. I can use it to create the applications and test, but I need to learn to use the real product.
>
> Thanks.
The only way to use Websphere application server Beta or Trial
versions after time is up without reinstalling the WAS product you
need to change Date & time settings of the system and reboot the
Operating System, try this if doesn't works please let me know.
Regards,
Khaja
Thursday, May 8, 2008
Sun Java System Directory Server 6.2 Database May Become Corrupted
1. Impact
A race condition may cause database pages for Sun Java System Directory Server to not sync to disk, resulting in possible Directory Server database corruption. Depending on which pages are affected, the impact may vary.
2. Contributing Factors
This issue can occur in the following releases for all platforms (Solaris 8, 9, and 10 SPARC and x86 Platforms, Linux, Windows, HP-UX):
* Sun Java System Directory Server Enterprise Edition 6.2
Note: Directory Server 6.1, 6.0, 5.2 and 5.1 are not affected by this issue.
To determine if the Directory Server running on a system is affected, the following command can be used:
$ dsadm -V
If the output contains the version string 6.2, the system is affected.
3. Symptoms
Depending on which database page is affected and which operation tries to access it, the resulting error messages can be different, but in the most frequent cases a message similar to the following is logged:
DEBUG - conn=-1 op=-1 msgId=-1 - libdb: PANIC: fatal region error detected; run recovery
4. Workaround
There is no workaround for this issue. Please see the Resolution section below.
5. Resolution
This issue is addressed in the following releases:
Native Package Versions:
* Solaris 9 and 10 with SPARC patch 125276-07 or later
* Solaris 9 x86 with patch 125277-07 or later
* Solaris 10 x86 and x64 with patch 125278-07 or later
* Linux with patch 125309-07 or later
* Windows with patch 125311-07 or later
PatchZIP (Compressed Archive) versions:
* Solaris 9 and 10 with SPARC patch 126748-04 or later
* Solaris 9 x86 with patch 126749-04 or later
* Solaris 10 x86 and x64 with patch 126750-04 or later
* Linux with patch 126751-04 or later
* Windows with patch 126753-04 or later
* HP-UX with patch 126752-04 or later
Note: After patches have been applied: Since the database corruption can be present but undetected, it is recommended to rebuild the database by exporting to an ldif file and reimporting the ldif file. In a replicated environment, all servers need to be rebuilt or reinitialized. Export/Import and initializing servers in a replicated environment is documented in the DSEE reference guide at:
http://docs.sun.com/app/docs/doc/820-2491/bcaim?a=view
For More details:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-235361-1
A race condition may cause database pages for Sun Java System Directory Server to not sync to disk, resulting in possible Directory Server database corruption. Depending on which pages are affected, the impact may vary.
2. Contributing Factors
This issue can occur in the following releases for all platforms (Solaris 8, 9, and 10 SPARC and x86 Platforms, Linux, Windows, HP-UX):
* Sun Java System Directory Server Enterprise Edition 6.2
Note: Directory Server 6.1, 6.0, 5.2 and 5.1 are not affected by this issue.
To determine if the Directory Server running on a system is affected, the following command can be used:
$ dsadm -V
If the output contains the version string 6.2, the system is affected.
3. Symptoms
Depending on which database page is affected and which operation tries to access it, the resulting error messages can be different, but in the most frequent cases a message similar to the following is logged:
DEBUG - conn=-1 op=-1 msgId=-1 - libdb: PANIC: fatal region error detected; run recovery
4. Workaround
There is no workaround for this issue. Please see the Resolution section below.
5. Resolution
This issue is addressed in the following releases:
Native Package Versions:
* Solaris 9 and 10 with SPARC patch 125276-07 or later
* Solaris 9 x86 with patch 125277-07 or later
* Solaris 10 x86 and x64 with patch 125278-07 or later
* Linux with patch 125309-07 or later
* Windows with patch 125311-07 or later
PatchZIP (Compressed Archive) versions:
* Solaris 9 and 10 with SPARC patch 126748-04 or later
* Solaris 9 x86 with patch 126749-04 or later
* Solaris 10 x86 and x64 with patch 126750-04 or later
* Linux with patch 126751-04 or later
* Windows with patch 126753-04 or later
* HP-UX with patch 126752-04 or later
Note: After patches have been applied: Since the database corruption can be present but undetected, it is recommended to rebuild the database by exporting to an ldif file and reimporting the ldif file. In a replicated environment, all servers need to be rebuilt or reinitialized. Export/Import and initializing servers in a replicated environment is documented in the DSEE reference guide at:
http://docs.sun.com/app/docs/doc/820-2491/bcaim?a=view
For More details:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-235361-1
Friday, April 18, 2008
WebSphere AppServer 7.0! Open Beta coming soon in May
IBM announced.
WebSphere AppServer 7.0! Open Beta coming soon in May
WAS 7.0 will be available in Beta in May 2008. (It's an open Beta, all registered users can test drive it.) There is also a RAD 7.5 Open Beta in the same timeframe too.
WebSphere AppServer 7.0! Open Beta coming soon in May
WAS 7.0 will be available in Beta in May 2008. (It's an open Beta, all registered users can test drive it.) There is also a RAD 7.5 Open Beta in the same timeframe too.
Wednesday, April 16, 2008
How can I determine the top 10 processes that have accumulated the most CPU time
How can I determine the top 10 processes that have accumulated the most CPU time?
A: The following script will display the top 10 processes that have accumulated the most CPU time:
ps -e head -n 1; ps -e egrep -v "TIME0:" sort -2b -3 -n -r head -n 10
Save the above in a file and issue 'chmod +x' before running it.
A: The following script will display the top 10 processes that have accumulated the most CPU time:
ps -e head -n 1; ps -e egrep -v "TIME0:" sort -2b -3 -n -r head -n 10
Save the above in a file and issue 'chmod +x
PsInfo :- Obtain information about a system on WINDOWS
PsInfo v1.75
Introduction
PsInfo is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if its a trial version, the expiration date.
Installation
Just copy PsInfo onto your executable path, and type "psinfo".
PsInfo works on NT 4.0 and higher (including Windows Vista).
Usage
By default PsInfo shows information for the local system. Specify a remote computer name to obtain information from the remote system. Since PsInfo relies on remote Registry access to obtain its data, the remote system must be running the Remote Registry service and the account from which you run PsInfo must have access to the HKLM\System portion of the remote Registry.
In order to aid in automated Service Pack updates, PsInfo returns as a value the Service Pack number of system (e.g. 0 for no service pack, 1 for SP 1, etc).
usage: psinfo [[\\computer[,computer[,..] @file [-u user [-p psswd]]] [-h] [-s] [-d] [-c [-t delimiter]] [filter] \\computer
Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.
@file
Run the command on each computer listed in the text file specified.
-u
Specifies optional user name for login to remote computer.
-p
Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-h
Show list of installed hotfixes.
-s
Show list of installed applications.
-d
Show disk volume information.
-c
Print in CSV format.
-t
The default delimiter for the -c option is a comma, but can be overriden with the specified character.
filter
Psinfo will only show data for the field matching the filter. e.g. "psinfo service" lists only the service pack field.
Example Output
c:> psinfo \\development -h -d PsInfo v1.6 - local and remote system information viewer
System information for \\DEVELOPMENT:
Uptime: 28 days, 0 hours, 15 minutes, 12 seconds
Kernel version: Microsoft Windows XP, Multiprocessor Free
Product type Professional
Product version: 5.1
Service pack: 0
Kernel build number: 2600
Registered organization: xxxxxxxx
Registered owner: xxxxxxxxxxx
Install date: 04/15/2008, 6:45:21 PM
Activation status: Activated
IE version: 6.0000
System root: C:\WINDOWS
Processors: 1
Processor speed: 1.7 GHz
Processor type: Intel Pentium IV
Physical memory: 1024 MB
Volume Type Format Label Size Free Free
A: Removable 0%
C: Fixed NTFS WINXP 7.8 GB 1.3 GB 16%
D: Fixed NTFS DEV 10.7 GB 809.7 MB 7%
H: CD-ROM CDFS JEDIOUTCAST 633.6 MB 0%
I: CD-ROM 0% Q: Remote 0%
T: Fixed NTFS Test 502.0 MB 496.7 MB 99%
OS Hot Fix Installed
How it Works
PsInfo uses the Remote Registry API to read system information from a system's Registry, and WMI to determine whether Windows XP installations have been activated.
Introduction
PsInfo is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if its a trial version, the expiration date.
Installation
Just copy PsInfo onto your executable path, and type "psinfo".
PsInfo works on NT 4.0 and higher (including Windows Vista).
Usage
By default PsInfo shows information for the local system. Specify a remote computer name to obtain information from the remote system. Since PsInfo relies on remote Registry access to obtain its data, the remote system must be running the Remote Registry service and the account from which you run PsInfo must have access to the HKLM\System portion of the remote Registry.
In order to aid in automated Service Pack updates, PsInfo returns as a value the Service Pack number of system (e.g. 0 for no service pack, 1 for SP 1, etc).
usage: psinfo [[\\computer[,computer[,..] @file [-u user [-p psswd]]] [-h] [-s] [-d] [-c [-t delimiter]] [filter] \\computer
Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.
@file
Run the command on each computer listed in the text file specified.
-u
Specifies optional user name for login to remote computer.
-p
Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-h
Show list of installed hotfixes.
-s
Show list of installed applications.
-d
Show disk volume information.
-c
Print in CSV format.
-t
The default delimiter for the -c option is a comma, but can be overriden with the specified character.
filter
Psinfo will only show data for the field matching the filter. e.g. "psinfo service" lists only the service pack field.
Example Output
c:> psinfo \\development -h -d PsInfo v1.6 - local and remote system information viewer
System information for \\DEVELOPMENT:
Uptime: 28 days, 0 hours, 15 minutes, 12 seconds
Kernel version: Microsoft Windows XP, Multiprocessor Free
Product type Professional
Product version: 5.1
Service pack: 0
Kernel build number: 2600
Registered organization: xxxxxxxx
Registered owner: xxxxxxxxxxx
Install date: 04/15/2008, 6:45:21 PM
Activation status: Activated
IE version: 6.0000
System root: C:\WINDOWS
Processors: 1
Processor speed: 1.7 GHz
Processor type: Intel Pentium IV
Physical memory: 1024 MB
Volume Type Format Label Size Free Free
A: Removable 0%
C: Fixed NTFS WINXP 7.8 GB 1.3 GB 16%
D: Fixed NTFS DEV 10.7 GB 809.7 MB 7%
H: CD-ROM CDFS JEDIOUTCAST 633.6 MB 0%
I: CD-ROM 0% Q: Remote 0%
T: Fixed NTFS Test 502.0 MB 496.7 MB 99%
OS Hot Fix Installed
How it Works
PsInfo uses the Remote Registry API to read system information from a system's Registry, and WMI to determine whether Windows XP installations have been activated.
Critical Patch Update - April 2008 for Oracle, PeopleSoft and JD Edwards products
Critical Patch Update – April 2008 The Critical Patch Update for April 2008 was released on April 15, 2008.
Oracle strongly recommends applying the patches as soon as possible.
The Critical Patch Update Advisory is the starting point for relevant information.
It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents. Supported Products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Critical Patch Update Advisory is available at any of the following locations:
Oracle Technology Network
Oracle, PeopleSoft and JD Edwards products
The next four Critical Patch Update release dates are:
July 15, 2008
October 14, 2008
January 13, 2009
April 14, 2009
Sincerely,
Oracle Security Alerts
Copyright © 2008, Oracle Corporation and/or its affiliates.All rights reserved.
Oracle strongly recommends applying the patches as soon as possible.
The Critical Patch Update Advisory is the starting point for relevant information.
It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents. Supported Products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Critical Patch Update Advisory is available at any of the following locations:
Oracle Technology Network
Oracle, PeopleSoft and JD Edwards products
The next four Critical Patch Update release dates are:
July 15, 2008
October 14, 2008
January 13, 2009
April 14, 2009
Sincerely,
Oracle Security Alerts
Copyright © 2008, Oracle Corporation and/or its affiliates.All rights reserved.
Tuesday, April 15, 2008
Sample Questions for Websphere Application server certification.
1: What must be done to monitor EJB methods using Tivoli Performance Viewer (TPV)?(select 1)
Explanation:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tprf_instrlevelejb.html
a: Select standard monitoring, and monitoring level to high.
b: Select standard monitoring, and monitoring level to Maximum.
c: Select custom monitoring, and monitoring level to high.
d: Select custom monitoring, and monitoring level to Maximum.
2: After installing WebSphere Application Server V5, using the standard installation with defaults -which is TRUE about the ports the WebSphere binds to?(select 2)
Explanation: The tricky part of this question is that all of the ports listed are commonly used throughout WebSphere. Also, the ports look very similar, so at first glance, if you are in a rush - you may choose the wrong answer. The admin console listens on 2 ports: the first is non-secured (using http), and the second is secured (using https, after enabling global security). See the info center link:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.nd.doc/in
fo/ae/ae/rins_portnumber.html
a: The embedded HTTP server listens on port 80, unless a Web Server is installed on the same machine such as IBM HTTP Server.
b: The WebSphere Admin Console can be accessed on port 9080.
c: The WebSphere Network Deployment Admin Console can be securely accessed on port 9043
d: The WebSphere Admin Console can be accessed on port 9090.
e: The WebSphere Network Deployment Admin Console can be securely accessed on port 9443
How can LDAP be used with WebSphere Application Server V5?(select 1)
Explanation: Many people think they have correctly answered this question - when in fact they have not. There is a common mis-perception about what LDAP is. The following link will give you a better understanding: http://wp.netscape.com/directory/v4.0/faq.html#6 or, the following IBM Redbook is also helpful: Understanding LDAP Design and Implementation, Chapter 1, page 3 http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf
a: LDAP is the namespace that WebSphere uses to lookup objects in WebSphere such as EJBs and datasources.
b: LDAP is a repository containing user/group information. WebSphere can perform authentication against it.
c: LDAP is the Internet standard for directory lookups. WebSphere can use this protocol in performing authentication.
d: LDAP allows the Http plugin to communicate to the embedded Http Server in WebSphere
Explanation:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tprf_instrlevelejb.html
a: Select standard monitoring, and monitoring level to high.
b: Select standard monitoring, and monitoring level to Maximum.
c: Select custom monitoring, and monitoring level to high.
d: Select custom monitoring, and monitoring level to Maximum.
2: After installing WebSphere Application Server V5, using the standard installation with defaults -which is TRUE about the ports the WebSphere binds to?(select 2)
Explanation: The tricky part of this question is that all of the ports listed are commonly used throughout WebSphere. Also, the ports look very similar, so at first glance, if you are in a rush - you may choose the wrong answer. The admin console listens on 2 ports: the first is non-secured (using http), and the second is secured (using https, after enabling global security). See the info center link:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.nd.doc/in
fo/ae/ae/rins_portnumber.html
a: The embedded HTTP server listens on port 80, unless a Web Server is installed on the same machine such as IBM HTTP Server.
b: The WebSphere Admin Console can be accessed on port 9080.
c: The WebSphere Network Deployment Admin Console can be securely accessed on port 9043
d: The WebSphere Admin Console can be accessed on port 9090.
e: The WebSphere Network Deployment Admin Console can be securely accessed on port 9443
How can LDAP be used with WebSphere Application Server V5?(select 1)
Explanation: Many people think they have correctly answered this question - when in fact they have not. There is a common mis-perception about what LDAP is. The following link will give you a better understanding: http://wp.netscape.com/directory/v4.0/faq.html#6 or, the following IBM Redbook is also helpful: Understanding LDAP Design and Implementation, Chapter 1, page 3 http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf
a: LDAP is the namespace that WebSphere uses to lookup objects in WebSphere such as EJBs and datasources.
b: LDAP is a repository containing user/group information. WebSphere can perform authentication against it.
c: LDAP is the Internet standard for directory lookups. WebSphere can use this protocol in performing authentication.
d: LDAP allows the Http plugin to communicate to the embedded Http Server in WebSphere
HP-UX, AIX, Solaris Certified for 11g DB and Apps 11i
Here's some good news from Oracle Platform Engineering team :
http://blogs.oracle.com/schan/2008/04/04#a2587
The following new platforms are now certified with the E-Business Suite Release 11i and the Oracle Database 11g Release 11 (11.1.0.6.0):
HP-UX PA RISC,
Sun Solaris SPARC
IBM AIXThe revised platform availability list is now:
Linux x86-32
HP-UX PA-RISC
IBM AIX
Sun Solaris SPARC
Windows x86Certification on other platforms is in progress; you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as they're available.
http://blogs.oracle.com/schan/2008/04/04#a2587
The following new platforms are now certified with the E-Business Suite Release 11i and the Oracle Database 11g Release 11 (11.1.0.6.0):
HP-UX PA RISC,
Sun Solaris SPARC
IBM AIXThe revised platform availability list is now:
Linux x86-32
HP-UX PA-RISC
IBM AIX
Sun Solaris SPARC
Windows x86Certification on other platforms is in progress; you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as they're available.
Create And Remove A Remote Printer Queue (CLI)
You can easily create and remove a remote printer queue using the BSD type spooler. You just have to fill the configuration file /tmp/lp.list properly, i.e. provide the local printer name, the remote LPD server, and the remote printer queue:
--------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.list
locname1 lpdserv1 remname1
locname2 lpdserv2 remname2
EOF
--------------------------------------------------------------------------------------------------
Then, just run the appropriate script depending of the desired behavior. Follow, an example when removing the two queues:
---------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.remove
#!/usr/bin/env sh
for lplocal in `awk '{print $1}' /tmp/lp.list`; do
/usr/sbin/lpshut
/usr/bin/cancel ${lplocal} -e 2> /dev/null
/usr/sbin/lpadmin -x${lplocal}
/usr/sbin/lpsched -v
sleep 1
done
exit 0
EOF
# sh /tmp/lp.remove
scheduler stopped
scheduler is running
scheduler stopped
scheduler is running
# lpstat -olocname1
no system default destination
lpstat: "locname1" not a request id or a destination
----------------------------------------------------------------------------------------------------
And now, the creation:
----------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.create
#!/usr/bin/env sh
while read lp; do
eval set -- `IFS=" "; printf '"%s" ' ${lp}`
lplocal="$1"
lpserver="$2"
lpremote="$3"
/usr/sbin/lpshut
/usr/sbin/lpadmin -p${lplocal} -orm${lpserver} -orp${lpremote} \
-mrmodel -v/dev/null -orc -ob3 -ocmrcmodel -osmrsmodel
/usr/sbin/accept ${lplocal}
/usr/bin/enable ${lplocal}
/usr/sbin/lpsched -v
sleep 1
done < /tmp/lp.list
exit 0
EOF
# sh /tmp/lp.create
scheduler stopped
destination "locname1" now accepting requests
printer "locname1" now enabled
scheduler is running
scheduler stopped
destination "locname2" now accepting requests
printer "locname2" now enabled
scheduler is running
# lpstat -olocname1
no system default destination
printer queue for locname1
Windows LPD Server
Printer \\lpdserv1\remname1
Owner Status Jobname Job-Id Size Pages Priority
----------------------------------------------------------------------------
hostname: locname1: ready and waiting
no entries
---------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.list
locname1 lpdserv1 remname1
locname2 lpdserv2 remname2
EOF
--------------------------------------------------------------------------------------------------
Then, just run the appropriate script depending of the desired behavior. Follow, an example when removing the two queues:
---------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.remove
#!/usr/bin/env sh
for lplocal in `awk '{print $1}' /tmp/lp.list`; do
/usr/sbin/lpshut
/usr/bin/cancel ${lplocal} -e 2> /dev/null
/usr/sbin/lpadmin -x${lplocal}
/usr/sbin/lpsched -v
sleep 1
done
exit 0
EOF
# sh /tmp/lp.remove
scheduler stopped
scheduler is running
scheduler stopped
scheduler is running
# lpstat -olocname1
no system default destination
lpstat: "locname1" not a request id or a destination
----------------------------------------------------------------------------------------------------
And now, the creation:
----------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.create
#!/usr/bin/env sh
while read lp; do
eval set -- `IFS=" "; printf '"%s" ' ${lp}`
lplocal="$1"
lpserver="$2"
lpremote="$3"
/usr/sbin/lpshut
/usr/sbin/lpadmin -p${lplocal} -orm${lpserver} -orp${lpremote} \
-mrmodel -v/dev/null -orc -ob3 -ocmrcmodel -osmrsmodel
/usr/sbin/accept ${lplocal}
/usr/bin/enable ${lplocal}
/usr/sbin/lpsched -v
sleep 1
done < /tmp/lp.list
exit 0
EOF
# sh /tmp/lp.create
scheduler stopped
destination "locname1" now accepting requests
printer "locname1" now enabled
scheduler is running
scheduler stopped
destination "locname2" now accepting requests
printer "locname2" now enabled
scheduler is running
# lpstat -olocname1
no system default destination
printer queue for locname1
Windows LPD Server
Printer \\lpdserv1\remname1
Owner Status Jobname Job-Id Size Pages Priority
----------------------------------------------------------------------------
hostname: locname1: ready and waiting
no entries
---------------------------------------------------------------------------------------------------
WebSphere Application Server V6.1 on the Solaris 10 Operating System
The Redbook is titled something like "IBM WebSphere on Sun Solaris" and will be available now. Just wanted to let everyone know that this is going to be a onestop information for your Websphere deployment on Solaris. I am sure some of the chapters are really great and will answer many of the questions being asked frequently.
In this book documented how WebSphere Application Server V6.1 and Solaris 10 can be configured, optimized, and managed. We described how to virtualize and manage WAS installation, deployment strategies and scenarios, the advanced features of Solaris 10 (e.g. SMF, Resource Management, Process Rights, Containers and Zones, ZFS, DTrace), the differences of WAS on Solaris from other platforms (e.g. Sun JDK), how to monitor and tune WAS along with Sun JVM, Solaris, and much more.
Here is the link to the Redbook:
http://www.redbooks.ibm.com/redbooks/pdfs/sg247584.pdf
In this book documented how WebSphere Application Server V6.1 and Solaris 10 can be configured, optimized, and managed. We described how to virtualize and manage WAS installation, deployment strategies and scenarios, the advanced features of Solaris 10 (e.g. SMF, Resource Management, Process Rights, Containers and Zones, ZFS, DTrace), the differences of WAS on Solaris from other platforms (e.g. Sun JDK), how to monitor and tune WAS along with Sun JVM, Solaris, and much more.
Here is the link to the Redbook:
http://www.redbooks.ibm.com/redbooks/pdfs/sg247584.pdf
Certificate expire issue in Websphere Application server 6.1.X
Introduction:
The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration, by updating the APAR Fix : PK42863: 6.1.0.5 With this fix, a couple of things are being done to prevent service outages: 1. A prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold. 2. The default self-signed certificate life span is extended to 15 years. Note: this is only applicable for a profile which will be created after applying this APAR fix. APAR Fix: PK36869: After automatic cert renewal DMGR cannot talk to Nodeagents. "JSSL0080E SSL HANDSHAKE EXECPTION"In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents,resulting in "JSSL0080E SSL HandShake Execption".
How to create & add a new Signer certificates for existing profile.
Scope
This document is intended for web administrators & webmasters to prevent the server outage which is caused by the certificate expiry issue in websphere application server version 6.1.
Best-Practices/Learning
1. APAR Fix: PK42863 resolves the following problem: PROBLEM SUMMARYUSERS AFFECTED: All users of servers installed with IBM® WebSphere® Application Server version
6.1.PROBLEM DESCRIPTION: The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration. By default 60 days before a self-signed certificate expires, the threshold period, the certificate will get replaced automatically. While administrative clients will handle the certificate replacement by retrieving the new signer certificate fine, other services like WebServer will not. In the case of a WebServer the extracting of the signer certificate is manual. So the automatic replacement of it's certificate can cause an outage of the service.
RECOMMENDATION: Servers self-signed certificate will get replaced 60 days before they expire. That means about 10 months after the self-signed certificate gets created. This will cause a server outage on services like WebServer where the managing of the client signer certificate is a manual step. So this change will extend the life span of the default self-signed certificate to 15 years and provide addition warning time before certificates are automatically replaced.
For More Information: http://www-1.ibm.com/support/docview.wss?uid=swg1PK42863
2. APAR Fix: PK36869: After automatic cert renewal DMGR cannot talk to Nodeagents. "JSSL0080E SSL HANDSHAKE EXECPTION"
Error description
In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents,
resulting in "JSSL0080E SSL HandShake Execption".
If the renewal is done while WAS is up and running, the user has to update dmgr/trust.p12 and appsrv/trust.p12 when prompted during the next WAS shutdown. This does not work
If WAS is running as a service on Windows platforms.
If the cert is expired while WAS is NOT running, WAS has to be started with expired cert. Automatic renewal runs during the next start-up of dmgr. The user has to run sync node.
As a work around, the user currently has to add manually the renewed certs to the trust stores.
Add the cert of Cell to Node, and the other one of Node to Cell.
The error is produced as a direct result of automatice cert renewal. The renewed cert should be added to Cell and Node trust stores automatically.
Additionally, the certificate expiration monitor has been modified to properly handle this condition; this fix has been shipped in APAR PK48659.
Local fix
As a work around, the user currently has to add manually the renewed certs to the trust stores. Add the cert of Cell to Node, and the other one of Node to Cell.
RECOMMENDATION: Application Server was incorrectly processing the sequence of events that need to complete before the certificates are renewed and exchanged between the Deployment Manager and the Node Agent.
For more information: http://www-1.ibm.com/support/docview.wss?uid=swg1PK36869
3. How to create & add a new Signer certificates for existing profile.
Create new key.p12 keystore
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
Create Self Signed Cert
Alias:
Common Name:
Validity Period: 3650
Organization: xyz
Click OK
Extract certificate
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates >Extract certificate
Certificate file name:-key.arm ex: Server Name-key.arm
Data type: Base64-encoded ASCII data
Default location for file to be created is:
/profiles/dmgr/etc/ ex: /opt/was61/profiles/dmgr/etc/
Import certificate created trust.p12
SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
Alias:-key
File Name:/profiles/dmgr/etc/-key.arm
Data type: Base64-encoded ASCII data
Copy trust.p12 and key.p12 to all the nodes
FROM:
/profiles/dmgr/config/cells//trust.p12
/profiles/dmgr/config/cells//key.p12
TO:/profiles/dmgr/config/cells//nodes//trust.p12
/profiles/dmgr/config/cells//nodes/ /key.p12
Restart nodes and dmgr from command line. When prompted to accept certificate, accept the certificate.
Start dmgr
Sync nodes manually to dmgr. When prompted to accept certificate, accept the certificate.
8. SSL certificate and key management > SSL configurations > CellDefaultSSLSettings
Select the certificate that you created in the following drop downs:
Default server certificate alias
Default client certificate alias
Click ->Get Certificate Aliases
Click -> OK
9. SSL certificate and key management > Manage endpoint security configurations
NOTE: This is a similar process the needs to be completed for all nodes and cells, both inbound and outbound
Select Node Level:
Change
Certificate alias in key store: Certificate that you imported
Click -> Update Certificate Alias List
Click -> OK
Repeat for Node Level – Inbound and Outbound
Repeat for Cell Level – Inbound and Outbound
Conclusions
With this fix, a couple of things are being done to prevent service outages: 1. a prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold. 2. The default self-signed certificate life span is extended to 15 years. Note: this is only applicable for a profile which will be created after applying this APAR fix.
Application Server has been modified to, at cell profile creation time, create separate signer certificates in each keystore so that proper exchange can take place at certificate expiration amd renewal time. NOTE: this APAR does not handle profiles that have already been created. To address certificate expiration and renewal in Application Server with existing
Profiles, please reference the WebSphere Application Server flash "Possible client outage for WebSphere Application Server V6.1 if using default self-signed certificate expiration" and/or install WebSphere maintenance fix pack 6.1.0.7. The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.11. Please refer to the recommended updates page for delivery
Information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration, by updating the APAR Fix : PK42863: 6.1.0.5 With this fix, a couple of things are being done to prevent service outages: 1. A prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold. 2. The default self-signed certificate life span is extended to 15 years. Note: this is only applicable for a profile which will be created after applying this APAR fix. APAR Fix: PK36869: After automatic cert renewal DMGR cannot talk to Nodeagents. "JSSL0080E SSL HANDSHAKE EXECPTION"In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents,resulting in "JSSL0080E SSL HandShake Execption".
How to create & add a new Signer certificates for existing profile.
Scope
This document is intended for web administrators & webmasters to prevent the server outage which is caused by the certificate expiry issue in websphere application server version 6.1.
Best-Practices/Learning
1. APAR Fix: PK42863 resolves the following problem: PROBLEM SUMMARYUSERS AFFECTED: All users of servers installed with IBM® WebSphere® Application Server version
6.1.PROBLEM DESCRIPTION: The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration. By default 60 days before a self-signed certificate expires, the threshold period, the certificate will get replaced automatically. While administrative clients will handle the certificate replacement by retrieving the new signer certificate fine, other services like WebServer will not. In the case of a WebServer the extracting of the signer certificate is manual. So the automatic replacement of it's certificate can cause an outage of the service.
RECOMMENDATION: Servers self-signed certificate will get replaced 60 days before they expire. That means about 10 months after the self-signed certificate gets created. This will cause a server outage on services like WebServer where the managing of the client signer certificate is a manual step. So this change will extend the life span of the default self-signed certificate to 15 years and provide addition warning time before certificates are automatically replaced.
For More Information: http://www-1.ibm.com/support/docview.wss?uid=swg1PK42863
2. APAR Fix: PK36869: After automatic cert renewal DMGR cannot talk to Nodeagents. "JSSL0080E SSL HANDSHAKE EXECPTION"
Error description
In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents,
resulting in "JSSL0080E SSL HandShake Execption".
If the renewal is done while WAS is up and running, the user has to update dmgr/trust.p12 and appsrv/trust.p12 when prompted during the next WAS shutdown. This does not work
If WAS is running as a service on Windows platforms.
If the cert is expired while WAS is NOT running, WAS has to be started with expired cert. Automatic renewal runs during the next start-up of dmgr. The user has to run sync node.
As a work around, the user currently has to add manually the renewed certs to the trust stores.
Add the cert of Cell to Node, and the other one of Node to Cell.
The error is produced as a direct result of automatice cert renewal. The renewed cert should be added to Cell and Node trust stores automatically.
Additionally, the certificate expiration monitor has been modified to properly handle this condition; this fix has been shipped in APAR PK48659.
Local fix
As a work around, the user currently has to add manually the renewed certs to the trust stores. Add the cert of Cell to Node, and the other one of Node to Cell.
RECOMMENDATION: Application Server was incorrectly processing the sequence of events that need to complete before the certificates are renewed and exchanged between the Deployment Manager and the Node Agent.
For more information: http://www-1.ibm.com/support/docview.wss?uid=swg1PK36869
3. How to create & add a new Signer certificates for existing profile.
Create new key.p12 keystore
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
Create Self Signed Cert
Alias:
Common Name:
Validity Period: 3650
Organization: xyz
Click OK
Extract certificate
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates >
Certificate file name:
Data type: Base64-encoded ASCII data
Default location for file to be created is:
Import certificate created trust.p12
SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
Alias:
File Name:
Data type: Base64-encoded ASCII data
Copy trust.p12 and key.p12 to all the nodes
FROM:
TO:
/profiles/dmgr/config/cells/
Restart nodes and dmgr from command line. When prompted to accept certificate, accept the certificate.
Start dmgr
Sync nodes manually to dmgr. When prompted to accept certificate, accept the certificate.
8. SSL certificate and key management > SSL configurations > CellDefaultSSLSettings
Select the certificate that you created in the following drop downs:
Default server certificate alias
Default client certificate alias
Click ->Get Certificate Aliases
Click -> OK
9. SSL certificate and key management > Manage endpoint security configurations
NOTE: This is a similar process the needs to be completed for all nodes and cells, both inbound and outbound
Select Node Level:
Change
Certificate alias in key store: Certificate that you imported
Click -> Update Certificate Alias List
Click -> OK
Repeat for Node Level – Inbound and Outbound
Repeat for Cell Level – Inbound and Outbound
Conclusions
With this fix, a couple of things are being done to prevent service outages: 1. a prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold. 2. The default self-signed certificate life span is extended to 15 years. Note: this is only applicable for a profile which will be created after applying this APAR fix.
Application Server has been modified to, at cell profile creation time, create separate signer certificates in each keystore so that proper exchange can take place at certificate expiration amd renewal time. NOTE: this APAR does not handle profiles that have already been created. To address certificate expiration and renewal in Application Server with existing
Profiles, please reference the WebSphere Application Server flash "Possible client outage for WebSphere Application Server V6.1 if using default self-signed certificate expiration" and/or install WebSphere maintenance fix pack 6.1.0.7. The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.11. Please refer to the recommended updates page for delivery
Information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Using threads in a J2EE application client
Problem
The extensions class loader for IBM® WebSphere® Application Server is where the Application Server itself is loaded. In previous versions of the Application Server, the run time was loaded by this single class loader. However, beginning with WebSphere Application Server Version 6.1, the Application Server is packaged as a set of OSGi bundles. Each OSGi bundle is loaded separately by its own class loader. This network of OSGi class loaders is then connected to the extensions class loader and the rest of the class loader hierarchy.
Cause
Due to this architectural change in the internals of how the Application Server loads its own classes, there are special considerations for a Java™ 2 Platform, Enterprise Edition (J2EE) application client that uses multithreads. The main thread of the application must not return until all of the other user non-daemon threads stop. The OSGi bundle class loaders shut down immediately after the main thread of the application has returned.
Resolving the problem
If the application logic does not allow the main thread to wait for all of the other user threads to stop, there is an alternative way to keep the OSGi bundle class loaders from shutting down. Use the -JVMOptions argument in the launchClient command to set the -Dosgi.noShutdown=true system property. The OSGi bundle class loaders do not shut down with this property set, but the application must call the System.exit method to stop the Java virtual machine.This problem has been fixed in WebSphere Application Server Version 6.1.0.9. See APAR PK42668.
The extensions class loader for IBM® WebSphere® Application Server is where the Application Server itself is loaded. In previous versions of the Application Server, the run time was loaded by this single class loader. However, beginning with WebSphere Application Server Version 6.1, the Application Server is packaged as a set of OSGi bundles. Each OSGi bundle is loaded separately by its own class loader. This network of OSGi class loaders is then connected to the extensions class loader and the rest of the class loader hierarchy.
Cause
Due to this architectural change in the internals of how the Application Server loads its own classes, there are special considerations for a Java™ 2 Platform, Enterprise Edition (J2EE) application client that uses multithreads. The main thread of the application must not return until all of the other user non-daemon threads stop. The OSGi bundle class loaders shut down immediately after the main thread of the application has returned.
Resolving the problem
If the application logic does not allow the main thread to wait for all of the other user threads to stop, there is an alternative way to keep the OSGi bundle class loaders from shutting down. Use the -JVMOptions argument in the launchClient command to set the -Dosgi.noShutdown=true system property. The OSGi bundle class loaders do not shut down with this property set, but the application must call the System.exit method to stop the Java virtual machine.This problem has been fixed in WebSphere Application Server Version 6.1.0.9. See APAR PK42668.
Subscribe to:
Posts (Atom)
