IBM announced.
WebSphere AppServer 7.0! Open Beta coming soon in May
WAS 7.0 will be available in Beta in May 2008. (It's an open Beta, all registered users can test drive it.) There is also a RAD 7.5 Open Beta in the same timeframe too.
Friday, April 18, 2008
Wednesday, April 16, 2008
How can I determine the top 10 processes that have accumulated the most CPU time
How can I determine the top 10 processes that have accumulated the most CPU time?
A: The following script will display the top 10 processes that have accumulated the most CPU time:
ps -e head -n 1; ps -e egrep -v "TIME0:" sort -2b -3 -n -r head -n 10
Save the above in a file and issue 'chmod +x' before running it.
A: The following script will display the top 10 processes that have accumulated the most CPU time:
ps -e head -n 1; ps -e egrep -v "TIME0:" sort -2b -3 -n -r head -n 10
Save the above in a file and issue 'chmod +x
PsInfo :- Obtain information about a system on WINDOWS
PsInfo v1.75
Introduction
PsInfo is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if its a trial version, the expiration date.
Installation
Just copy PsInfo onto your executable path, and type "psinfo".
PsInfo works on NT 4.0 and higher (including Windows Vista).
Usage
By default PsInfo shows information for the local system. Specify a remote computer name to obtain information from the remote system. Since PsInfo relies on remote Registry access to obtain its data, the remote system must be running the Remote Registry service and the account from which you run PsInfo must have access to the HKLM\System portion of the remote Registry.
In order to aid in automated Service Pack updates, PsInfo returns as a value the Service Pack number of system (e.g. 0 for no service pack, 1 for SP 1, etc).
usage: psinfo [[\\computer[,computer[,..] @file [-u user [-p psswd]]] [-h] [-s] [-d] [-c [-t delimiter]] [filter] \\computer
Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.
@file
Run the command on each computer listed in the text file specified.
-u
Specifies optional user name for login to remote computer.
-p
Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-h
Show list of installed hotfixes.
-s
Show list of installed applications.
-d
Show disk volume information.
-c
Print in CSV format.
-t
The default delimiter for the -c option is a comma, but can be overriden with the specified character.
filter
Psinfo will only show data for the field matching the filter. e.g. "psinfo service" lists only the service pack field.
Example Output
c:> psinfo \\development -h -d PsInfo v1.6 - local and remote system information viewer
System information for \\DEVELOPMENT:
Uptime: 28 days, 0 hours, 15 minutes, 12 seconds
Kernel version: Microsoft Windows XP, Multiprocessor Free
Product type Professional
Product version: 5.1
Service pack: 0
Kernel build number: 2600
Registered organization: xxxxxxxx
Registered owner: xxxxxxxxxxx
Install date: 04/15/2008, 6:45:21 PM
Activation status: Activated
IE version: 6.0000
System root: C:\WINDOWS
Processors: 1
Processor speed: 1.7 GHz
Processor type: Intel Pentium IV
Physical memory: 1024 MB
Volume Type Format Label Size Free Free
A: Removable 0%
C: Fixed NTFS WINXP 7.8 GB 1.3 GB 16%
D: Fixed NTFS DEV 10.7 GB 809.7 MB 7%
H: CD-ROM CDFS JEDIOUTCAST 633.6 MB 0%
I: CD-ROM 0% Q: Remote 0%
T: Fixed NTFS Test 502.0 MB 496.7 MB 99%
OS Hot Fix Installed
How it Works
PsInfo uses the Remote Registry API to read system information from a system's Registry, and WMI to determine whether Windows XP installations have been activated.
Introduction
PsInfo is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if its a trial version, the expiration date.
Installation
Just copy PsInfo onto your executable path, and type "psinfo".
PsInfo works on NT 4.0 and higher (including Windows Vista).
Usage
By default PsInfo shows information for the local system. Specify a remote computer name to obtain information from the remote system. Since PsInfo relies on remote Registry access to obtain its data, the remote system must be running the Remote Registry service and the account from which you run PsInfo must have access to the HKLM\System portion of the remote Registry.
In order to aid in automated Service Pack updates, PsInfo returns as a value the Service Pack number of system (e.g. 0 for no service pack, 1 for SP 1, etc).
usage: psinfo [[\\computer[,computer[,..] @file [-u user [-p psswd]]] [-h] [-s] [-d] [-c [-t delimiter]] [filter] \\computer
Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.
@file
Run the command on each computer listed in the text file specified.
-u
Specifies optional user name for login to remote computer.
-p
Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-h
Show list of installed hotfixes.
-s
Show list of installed applications.
-d
Show disk volume information.
-c
Print in CSV format.
-t
The default delimiter for the -c option is a comma, but can be overriden with the specified character.
filter
Psinfo will only show data for the field matching the filter. e.g. "psinfo service" lists only the service pack field.
Example Output
c:> psinfo \\development -h -d PsInfo v1.6 - local and remote system information viewer
System information for \\DEVELOPMENT:
Uptime: 28 days, 0 hours, 15 minutes, 12 seconds
Kernel version: Microsoft Windows XP, Multiprocessor Free
Product type Professional
Product version: 5.1
Service pack: 0
Kernel build number: 2600
Registered organization: xxxxxxxx
Registered owner: xxxxxxxxxxx
Install date: 04/15/2008, 6:45:21 PM
Activation status: Activated
IE version: 6.0000
System root: C:\WINDOWS
Processors: 1
Processor speed: 1.7 GHz
Processor type: Intel Pentium IV
Physical memory: 1024 MB
Volume Type Format Label Size Free Free
A: Removable 0%
C: Fixed NTFS WINXP 7.8 GB 1.3 GB 16%
D: Fixed NTFS DEV 10.7 GB 809.7 MB 7%
H: CD-ROM CDFS JEDIOUTCAST 633.6 MB 0%
I: CD-ROM 0% Q: Remote 0%
T: Fixed NTFS Test 502.0 MB 496.7 MB 99%
OS Hot Fix Installed
How it Works
PsInfo uses the Remote Registry API to read system information from a system's Registry, and WMI to determine whether Windows XP installations have been activated.
Critical Patch Update - April 2008 for Oracle, PeopleSoft and JD Edwards products
Critical Patch Update – April 2008 The Critical Patch Update for April 2008 was released on April 15, 2008.
Oracle strongly recommends applying the patches as soon as possible.
The Critical Patch Update Advisory is the starting point for relevant information.
It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents. Supported Products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Critical Patch Update Advisory is available at any of the following locations:
Oracle Technology Network
Oracle, PeopleSoft and JD Edwards products
The next four Critical Patch Update release dates are:
July 15, 2008
October 14, 2008
January 13, 2009
April 14, 2009
Sincerely,
Oracle Security Alerts
Copyright © 2008, Oracle Corporation and/or its affiliates.All rights reserved.
Oracle strongly recommends applying the patches as soon as possible.
The Critical Patch Update Advisory is the starting point for relevant information.
It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents. Supported Products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Critical Patch Update Advisory is available at any of the following locations:
Oracle Technology Network
Oracle, PeopleSoft and JD Edwards products
The next four Critical Patch Update release dates are:
July 15, 2008
October 14, 2008
January 13, 2009
April 14, 2009
Sincerely,
Oracle Security Alerts
Copyright © 2008, Oracle Corporation and/or its affiliates.All rights reserved.
Tuesday, April 15, 2008
Sample Questions for Websphere Application server certification.
1: What must be done to monitor EJB methods using Tivoli Performance Viewer (TPV)?(select 1)
Explanation:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tprf_instrlevelejb.html
a: Select standard monitoring, and monitoring level to high.
b: Select standard monitoring, and monitoring level to Maximum.
c: Select custom monitoring, and monitoring level to high.
d: Select custom monitoring, and monitoring level to Maximum.
2: After installing WebSphere Application Server V5, using the standard installation with defaults -which is TRUE about the ports the WebSphere binds to?(select 2)
Explanation: The tricky part of this question is that all of the ports listed are commonly used throughout WebSphere. Also, the ports look very similar, so at first glance, if you are in a rush - you may choose the wrong answer. The admin console listens on 2 ports: the first is non-secured (using http), and the second is secured (using https, after enabling global security). See the info center link:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.nd.doc/in
fo/ae/ae/rins_portnumber.html
a: The embedded HTTP server listens on port 80, unless a Web Server is installed on the same machine such as IBM HTTP Server.
b: The WebSphere Admin Console can be accessed on port 9080.
c: The WebSphere Network Deployment Admin Console can be securely accessed on port 9043
d: The WebSphere Admin Console can be accessed on port 9090.
e: The WebSphere Network Deployment Admin Console can be securely accessed on port 9443
How can LDAP be used with WebSphere Application Server V5?(select 1)
Explanation: Many people think they have correctly answered this question - when in fact they have not. There is a common mis-perception about what LDAP is. The following link will give you a better understanding: http://wp.netscape.com/directory/v4.0/faq.html#6 or, the following IBM Redbook is also helpful: Understanding LDAP Design and Implementation, Chapter 1, page 3 http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf
a: LDAP is the namespace that WebSphere uses to lookup objects in WebSphere such as EJBs and datasources.
b: LDAP is a repository containing user/group information. WebSphere can perform authentication against it.
c: LDAP is the Internet standard for directory lookups. WebSphere can use this protocol in performing authentication.
d: LDAP allows the Http plugin to communicate to the embedded Http Server in WebSphere
Explanation:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tprf_instrlevelejb.html
a: Select standard monitoring, and monitoring level to high.
b: Select standard monitoring, and monitoring level to Maximum.
c: Select custom monitoring, and monitoring level to high.
d: Select custom monitoring, and monitoring level to Maximum.
2: After installing WebSphere Application Server V5, using the standard installation with defaults -which is TRUE about the ports the WebSphere binds to?(select 2)
Explanation: The tricky part of this question is that all of the ports listed are commonly used throughout WebSphere. Also, the ports look very similar, so at first glance, if you are in a rush - you may choose the wrong answer. The admin console listens on 2 ports: the first is non-secured (using http), and the second is secured (using https, after enabling global security). See the info center link:
http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.nd.doc/in
fo/ae/ae/rins_portnumber.html
a: The embedded HTTP server listens on port 80, unless a Web Server is installed on the same machine such as IBM HTTP Server.
b: The WebSphere Admin Console can be accessed on port 9080.
c: The WebSphere Network Deployment Admin Console can be securely accessed on port 9043
d: The WebSphere Admin Console can be accessed on port 9090.
e: The WebSphere Network Deployment Admin Console can be securely accessed on port 9443
How can LDAP be used with WebSphere Application Server V5?(select 1)
Explanation: Many people think they have correctly answered this question - when in fact they have not. There is a common mis-perception about what LDAP is. The following link will give you a better understanding: http://wp.netscape.com/directory/v4.0/faq.html#6 or, the following IBM Redbook is also helpful: Understanding LDAP Design and Implementation, Chapter 1, page 3 http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf
a: LDAP is the namespace that WebSphere uses to lookup objects in WebSphere such as EJBs and datasources.
b: LDAP is a repository containing user/group information. WebSphere can perform authentication against it.
c: LDAP is the Internet standard for directory lookups. WebSphere can use this protocol in performing authentication.
d: LDAP allows the Http plugin to communicate to the embedded Http Server in WebSphere
HP-UX, AIX, Solaris Certified for 11g DB and Apps 11i
Here's some good news from Oracle Platform Engineering team :
http://blogs.oracle.com/schan/2008/04/04#a2587
The following new platforms are now certified with the E-Business Suite Release 11i and the Oracle Database 11g Release 11 (11.1.0.6.0):
HP-UX PA RISC,
Sun Solaris SPARC
IBM AIXThe revised platform availability list is now:
Linux x86-32
HP-UX PA-RISC
IBM AIX
Sun Solaris SPARC
Windows x86Certification on other platforms is in progress; you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as they're available.
http://blogs.oracle.com/schan/2008/04/04#a2587
The following new platforms are now certified with the E-Business Suite Release 11i and the Oracle Database 11g Release 11 (11.1.0.6.0):
HP-UX PA RISC,
Sun Solaris SPARC
IBM AIXThe revised platform availability list is now:
Linux x86-32
HP-UX PA-RISC
IBM AIX
Sun Solaris SPARC
Windows x86Certification on other platforms is in progress; you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as they're available.
Create And Remove A Remote Printer Queue (CLI)
You can easily create and remove a remote printer queue using the BSD type spooler. You just have to fill the configuration file /tmp/lp.list properly, i.e. provide the local printer name, the remote LPD server, and the remote printer queue:
--------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.list
locname1 lpdserv1 remname1
locname2 lpdserv2 remname2
EOF
--------------------------------------------------------------------------------------------------
Then, just run the appropriate script depending of the desired behavior. Follow, an example when removing the two queues:
---------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.remove
#!/usr/bin/env sh
for lplocal in `awk '{print $1}' /tmp/lp.list`; do
/usr/sbin/lpshut
/usr/bin/cancel ${lplocal} -e 2> /dev/null
/usr/sbin/lpadmin -x${lplocal}
/usr/sbin/lpsched -v
sleep 1
done
exit 0
EOF
# sh /tmp/lp.remove
scheduler stopped
scheduler is running
scheduler stopped
scheduler is running
# lpstat -olocname1
no system default destination
lpstat: "locname1" not a request id or a destination
----------------------------------------------------------------------------------------------------
And now, the creation:
----------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.create
#!/usr/bin/env sh
while read lp; do
eval set -- `IFS=" "; printf '"%s" ' ${lp}`
lplocal="$1"
lpserver="$2"
lpremote="$3"
/usr/sbin/lpshut
/usr/sbin/lpadmin -p${lplocal} -orm${lpserver} -orp${lpremote} \
-mrmodel -v/dev/null -orc -ob3 -ocmrcmodel -osmrsmodel
/usr/sbin/accept ${lplocal}
/usr/bin/enable ${lplocal}
/usr/sbin/lpsched -v
sleep 1
done < /tmp/lp.list
exit 0
EOF
# sh /tmp/lp.create
scheduler stopped
destination "locname1" now accepting requests
printer "locname1" now enabled
scheduler is running
scheduler stopped
destination "locname2" now accepting requests
printer "locname2" now enabled
scheduler is running
# lpstat -olocname1
no system default destination
printer queue for locname1
Windows LPD Server
Printer \\lpdserv1\remname1
Owner Status Jobname Job-Id Size Pages Priority
----------------------------------------------------------------------------
hostname: locname1: ready and waiting
no entries
---------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.list
locname1 lpdserv1 remname1
locname2 lpdserv2 remname2
EOF
--------------------------------------------------------------------------------------------------
Then, just run the appropriate script depending of the desired behavior. Follow, an example when removing the two queues:
---------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.remove
#!/usr/bin/env sh
for lplocal in `awk '{print $1}' /tmp/lp.list`; do
/usr/sbin/lpshut
/usr/bin/cancel ${lplocal} -e 2> /dev/null
/usr/sbin/lpadmin -x${lplocal}
/usr/sbin/lpsched -v
sleep 1
done
exit 0
EOF
# sh /tmp/lp.remove
scheduler stopped
scheduler is running
scheduler stopped
scheduler is running
# lpstat -olocname1
no system default destination
lpstat: "locname1" not a request id or a destination
----------------------------------------------------------------------------------------------------
And now, the creation:
----------------------------------------------------------------------------------------------------
# cat <<> /tmp/lp.create
#!/usr/bin/env sh
while read lp; do
eval set -- `IFS=" "; printf '"%s" ' ${lp}`
lplocal="$1"
lpserver="$2"
lpremote="$3"
/usr/sbin/lpshut
/usr/sbin/lpadmin -p${lplocal} -orm${lpserver} -orp${lpremote} \
-mrmodel -v/dev/null -orc -ob3 -ocmrcmodel -osmrsmodel
/usr/sbin/accept ${lplocal}
/usr/bin/enable ${lplocal}
/usr/sbin/lpsched -v
sleep 1
done < /tmp/lp.list
exit 0
EOF
# sh /tmp/lp.create
scheduler stopped
destination "locname1" now accepting requests
printer "locname1" now enabled
scheduler is running
scheduler stopped
destination "locname2" now accepting requests
printer "locname2" now enabled
scheduler is running
# lpstat -olocname1
no system default destination
printer queue for locname1
Windows LPD Server
Printer \\lpdserv1\remname1
Owner Status Jobname Job-Id Size Pages Priority
----------------------------------------------------------------------------
hostname: locname1: ready and waiting
no entries
---------------------------------------------------------------------------------------------------
WebSphere Application Server V6.1 on the Solaris 10 Operating System
The Redbook is titled something like "IBM WebSphere on Sun Solaris" and will be available now. Just wanted to let everyone know that this is going to be a onestop information for your Websphere deployment on Solaris. I am sure some of the chapters are really great and will answer many of the questions being asked frequently.
In this book documented how WebSphere Application Server V6.1 and Solaris 10 can be configured, optimized, and managed. We described how to virtualize and manage WAS installation, deployment strategies and scenarios, the advanced features of Solaris 10 (e.g. SMF, Resource Management, Process Rights, Containers and Zones, ZFS, DTrace), the differences of WAS on Solaris from other platforms (e.g. Sun JDK), how to monitor and tune WAS along with Sun JVM, Solaris, and much more.
Here is the link to the Redbook:
http://www.redbooks.ibm.com/redbooks/pdfs/sg247584.pdf
In this book documented how WebSphere Application Server V6.1 and Solaris 10 can be configured, optimized, and managed. We described how to virtualize and manage WAS installation, deployment strategies and scenarios, the advanced features of Solaris 10 (e.g. SMF, Resource Management, Process Rights, Containers and Zones, ZFS, DTrace), the differences of WAS on Solaris from other platforms (e.g. Sun JDK), how to monitor and tune WAS along with Sun JVM, Solaris, and much more.
Here is the link to the Redbook:
http://www.redbooks.ibm.com/redbooks/pdfs/sg247584.pdf
Certificate expire issue in Websphere Application server 6.1.X
Introduction:
The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration, by updating the APAR Fix : PK42863: 6.1.0.5 With this fix, a couple of things are being done to prevent service outages: 1. A prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold. 2. The default self-signed certificate life span is extended to 15 years. Note: this is only applicable for a profile which will be created after applying this APAR fix. APAR Fix: PK36869: After automatic cert renewal DMGR cannot talk to Nodeagents. "JSSL0080E SSL HANDSHAKE EXECPTION"In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents,resulting in "JSSL0080E SSL HandShake Execption".
How to create & add a new Signer certificates for existing profile.
Scope
This document is intended for web administrators & webmasters to prevent the server outage which is caused by the certificate expiry issue in websphere application server version 6.1.
Best-Practices/Learning
1. APAR Fix: PK42863 resolves the following problem: PROBLEM SUMMARYUSERS AFFECTED: All users of servers installed with IBM® WebSphere® Application Server version
6.1.PROBLEM DESCRIPTION: The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration. By default 60 days before a self-signed certificate expires, the threshold period, the certificate will get replaced automatically. While administrative clients will handle the certificate replacement by retrieving the new signer certificate fine, other services like WebServer will not. In the case of a WebServer the extracting of the signer certificate is manual. So the automatic replacement of it's certificate can cause an outage of the service.
RECOMMENDATION: Servers self-signed certificate will get replaced 60 days before they expire. That means about 10 months after the self-signed certificate gets created. This will cause a server outage on services like WebServer where the managing of the client signer certificate is a manual step. So this change will extend the life span of the default self-signed certificate to 15 years and provide addition warning time before certificates are automatically replaced.
For More Information: http://www-1.ibm.com/support/docview.wss?uid=swg1PK42863
2. APAR Fix: PK36869: After automatic cert renewal DMGR cannot talk to Nodeagents. "JSSL0080E SSL HANDSHAKE EXECPTION"
Error description
In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents,
resulting in "JSSL0080E SSL HandShake Execption".
If the renewal is done while WAS is up and running, the user has to update dmgr/trust.p12 and appsrv/trust.p12 when prompted during the next WAS shutdown. This does not work
If WAS is running as a service on Windows platforms.
If the cert is expired while WAS is NOT running, WAS has to be started with expired cert. Automatic renewal runs during the next start-up of dmgr. The user has to run sync node.
As a work around, the user currently has to add manually the renewed certs to the trust stores.
Add the cert of Cell to Node, and the other one of Node to Cell.
The error is produced as a direct result of automatice cert renewal. The renewed cert should be added to Cell and Node trust stores automatically.
Additionally, the certificate expiration monitor has been modified to properly handle this condition; this fix has been shipped in APAR PK48659.
Local fix
As a work around, the user currently has to add manually the renewed certs to the trust stores. Add the cert of Cell to Node, and the other one of Node to Cell.
RECOMMENDATION: Application Server was incorrectly processing the sequence of events that need to complete before the certificates are renewed and exchanged between the Deployment Manager and the Node Agent.
For more information: http://www-1.ibm.com/support/docview.wss?uid=swg1PK36869
3. How to create & add a new Signer certificates for existing profile.
Create new key.p12 keystore
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
Create Self Signed Cert
Alias:
Common Name:
Validity Period: 3650
Organization: xyz
Click OK
Extract certificate
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates >Extract certificate
Certificate file name:-key.arm ex: Server Name-key.arm
Data type: Base64-encoded ASCII data
Default location for file to be created is:
/profiles/dmgr/etc/ ex: /opt/was61/profiles/dmgr/etc/
Import certificate created trust.p12
SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
Alias:-key
File Name:/profiles/dmgr/etc/-key.arm
Data type: Base64-encoded ASCII data
Copy trust.p12 and key.p12 to all the nodes
FROM:
/profiles/dmgr/config/cells//trust.p12
/profiles/dmgr/config/cells//key.p12
TO:/profiles/dmgr/config/cells//nodes//trust.p12
/profiles/dmgr/config/cells//nodes/ /key.p12
Restart nodes and dmgr from command line. When prompted to accept certificate, accept the certificate.
Start dmgr
Sync nodes manually to dmgr. When prompted to accept certificate, accept the certificate.
8. SSL certificate and key management > SSL configurations > CellDefaultSSLSettings
Select the certificate that you created in the following drop downs:
Default server certificate alias
Default client certificate alias
Click ->Get Certificate Aliases
Click -> OK
9. SSL certificate and key management > Manage endpoint security configurations
NOTE: This is a similar process the needs to be completed for all nodes and cells, both inbound and outbound
Select Node Level:
Change
Certificate alias in key store: Certificate that you imported
Click -> Update Certificate Alias List
Click -> OK
Repeat for Node Level – Inbound and Outbound
Repeat for Cell Level – Inbound and Outbound
Conclusions
With this fix, a couple of things are being done to prevent service outages: 1. a prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold. 2. The default self-signed certificate life span is extended to 15 years. Note: this is only applicable for a profile which will be created after applying this APAR fix.
Application Server has been modified to, at cell profile creation time, create separate signer certificates in each keystore so that proper exchange can take place at certificate expiration amd renewal time. NOTE: this APAR does not handle profiles that have already been created. To address certificate expiration and renewal in Application Server with existing
Profiles, please reference the WebSphere Application Server flash "Possible client outage for WebSphere Application Server V6.1 if using default self-signed certificate expiration" and/or install WebSphere maintenance fix pack 6.1.0.7. The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.11. Please refer to the recommended updates page for delivery
Information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration, by updating the APAR Fix : PK42863: 6.1.0.5 With this fix, a couple of things are being done to prevent service outages: 1. A prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold. 2. The default self-signed certificate life span is extended to 15 years. Note: this is only applicable for a profile which will be created after applying this APAR fix. APAR Fix: PK36869: After automatic cert renewal DMGR cannot talk to Nodeagents. "JSSL0080E SSL HANDSHAKE EXECPTION"In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents,resulting in "JSSL0080E SSL HandShake Execption".
How to create & add a new Signer certificates for existing profile.
Scope
This document is intended for web administrators & webmasters to prevent the server outage which is caused by the certificate expiry issue in websphere application server version 6.1.
Best-Practices/Learning
1. APAR Fix: PK42863 resolves the following problem: PROBLEM SUMMARYUSERS AFFECTED: All users of servers installed with IBM® WebSphere® Application Server version
6.1.PROBLEM DESCRIPTION: The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration. By default 60 days before a self-signed certificate expires, the threshold period, the certificate will get replaced automatically. While administrative clients will handle the certificate replacement by retrieving the new signer certificate fine, other services like WebServer will not. In the case of a WebServer the extracting of the signer certificate is manual. So the automatic replacement of it's certificate can cause an outage of the service.
RECOMMENDATION: Servers self-signed certificate will get replaced 60 days before they expire. That means about 10 months after the self-signed certificate gets created. This will cause a server outage on services like WebServer where the managing of the client signer certificate is a manual step. So this change will extend the life span of the default self-signed certificate to 15 years and provide addition warning time before certificates are automatically replaced.
For More Information: http://www-1.ibm.com/support/docview.wss?uid=swg1PK42863
2. APAR Fix: PK36869: After automatic cert renewal DMGR cannot talk to Nodeagents. "JSSL0080E SSL HANDSHAKE EXECPTION"
Error description
In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents,
resulting in "JSSL0080E SSL HandShake Execption".
If the renewal is done while WAS is up and running, the user has to update dmgr/trust.p12 and appsrv/trust.p12 when prompted during the next WAS shutdown. This does not work
If WAS is running as a service on Windows platforms.
If the cert is expired while WAS is NOT running, WAS has to be started with expired cert. Automatic renewal runs during the next start-up of dmgr. The user has to run sync node.
As a work around, the user currently has to add manually the renewed certs to the trust stores.
Add the cert of Cell to Node, and the other one of Node to Cell.
The error is produced as a direct result of automatice cert renewal. The renewed cert should be added to Cell and Node trust stores automatically.
Additionally, the certificate expiration monitor has been modified to properly handle this condition; this fix has been shipped in APAR PK48659.
Local fix
As a work around, the user currently has to add manually the renewed certs to the trust stores. Add the cert of Cell to Node, and the other one of Node to Cell.
RECOMMENDATION: Application Server was incorrectly processing the sequence of events that need to complete before the certificates are renewed and exchanged between the Deployment Manager and the Node Agent.
For more information: http://www-1.ibm.com/support/docview.wss?uid=swg1PK36869
3. How to create & add a new Signer certificates for existing profile.
Create new key.p12 keystore
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
Create Self Signed Cert
Alias:
Common Name:
Validity Period: 3650
Organization: xyz
Click OK
Extract certificate
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates >
Certificate file name:
Data type: Base64-encoded ASCII data
Default location for file to be created is:
Import certificate created trust.p12
SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
Alias:
File Name:
Data type: Base64-encoded ASCII data
Copy trust.p12 and key.p12 to all the nodes
FROM:
TO:
/profiles/dmgr/config/cells/
Restart nodes and dmgr from command line. When prompted to accept certificate, accept the certificate.
Start dmgr
Sync nodes manually to dmgr. When prompted to accept certificate, accept the certificate.
8. SSL certificate and key management > SSL configurations > CellDefaultSSLSettings
Select the certificate that you created in the following drop downs:
Default server certificate alias
Default client certificate alias
Click ->Get Certificate Aliases
Click -> OK
9. SSL certificate and key management > Manage endpoint security configurations
NOTE: This is a similar process the needs to be completed for all nodes and cells, both inbound and outbound
Select Node Level:
Change
Certificate alias in key store: Certificate that you imported
Click -> Update Certificate Alias List
Click -> OK
Repeat for Node Level – Inbound and Outbound
Repeat for Cell Level – Inbound and Outbound
Conclusions
With this fix, a couple of things are being done to prevent service outages: 1. a prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold. 2. The default self-signed certificate life span is extended to 15 years. Note: this is only applicable for a profile which will be created after applying this APAR fix.
Application Server has been modified to, at cell profile creation time, create separate signer certificates in each keystore so that proper exchange can take place at certificate expiration amd renewal time. NOTE: this APAR does not handle profiles that have already been created. To address certificate expiration and renewal in Application Server with existing
Profiles, please reference the WebSphere Application Server flash "Possible client outage for WebSphere Application Server V6.1 if using default self-signed certificate expiration" and/or install WebSphere maintenance fix pack 6.1.0.7. The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.11. Please refer to the recommended updates page for delivery
Information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Using threads in a J2EE application client
Problem
The extensions class loader for IBM® WebSphere® Application Server is where the Application Server itself is loaded. In previous versions of the Application Server, the run time was loaded by this single class loader. However, beginning with WebSphere Application Server Version 6.1, the Application Server is packaged as a set of OSGi bundles. Each OSGi bundle is loaded separately by its own class loader. This network of OSGi class loaders is then connected to the extensions class loader and the rest of the class loader hierarchy.
Cause
Due to this architectural change in the internals of how the Application Server loads its own classes, there are special considerations for a Java™ 2 Platform, Enterprise Edition (J2EE) application client that uses multithreads. The main thread of the application must not return until all of the other user non-daemon threads stop. The OSGi bundle class loaders shut down immediately after the main thread of the application has returned.
Resolving the problem
If the application logic does not allow the main thread to wait for all of the other user threads to stop, there is an alternative way to keep the OSGi bundle class loaders from shutting down. Use the -JVMOptions argument in the launchClient command to set the -Dosgi.noShutdown=true system property. The OSGi bundle class loaders do not shut down with this property set, but the application must call the System.exit method to stop the Java virtual machine.This problem has been fixed in WebSphere Application Server Version 6.1.0.9. See APAR PK42668.
The extensions class loader for IBM® WebSphere® Application Server is where the Application Server itself is loaded. In previous versions of the Application Server, the run time was loaded by this single class loader. However, beginning with WebSphere Application Server Version 6.1, the Application Server is packaged as a set of OSGi bundles. Each OSGi bundle is loaded separately by its own class loader. This network of OSGi class loaders is then connected to the extensions class loader and the rest of the class loader hierarchy.
Cause
Due to this architectural change in the internals of how the Application Server loads its own classes, there are special considerations for a Java™ 2 Platform, Enterprise Edition (J2EE) application client that uses multithreads. The main thread of the application must not return until all of the other user non-daemon threads stop. The OSGi bundle class loaders shut down immediately after the main thread of the application has returned.
Resolving the problem
If the application logic does not allow the main thread to wait for all of the other user threads to stop, there is an alternative way to keep the OSGi bundle class loaders from shutting down. Use the -JVMOptions argument in the launchClient command to set the -Dosgi.noShutdown=true system property. The OSGi bundle class loaders do not shut down with this property set, but the application must call the System.exit method to stop the Java virtual machine.This problem has been fixed in WebSphere Application Server Version 6.1.0.9. See APAR PK42668.
Subscribe to:
Posts (Atom)
