Detect/Report orhaned objects in Datapower

A quick tip from HermannSW

Simple and not well-known facility in DataPower for detecting/reporting orphaned objects!

• open a service, eg. a XML FW.
• then click on “Conformance” link in “General” tab
• deselect the “WS-I-*” validators
• select the “DataPower Configuration Profiler”
• select what you want to validate (by default the object you opened)
• click on “Validate”

Reported messages for one of my XML FWs (with references to the objects):
“Configuration is defined, but not referenced!!”
or
“Document cache of xml-manager is disabled. Disabling the document cache might impact the performance.”

IBM Integration Designer Installation troubleshooting

Just spent quite a few hours troubleshooting IID V8.0 installation. Troubles started when installing DB2 Express (which comes with IID). I got to the end of installation but none of the server profiles was configured. Errors in the logs pointed to a pretty common SQL error

“SQL1092N “USER” does not have the authority to perform the requested command “

And it reported my domain Windows user account instead of “bpmadmin” user that was configured in the wizard.

Had to dig all the DB2 forums to come up with fixes. Wish IBM would document it somehow.

1. Verify user Domain Account and “bpmadmin” is part of DB2ADMNS and Administrators group

2. Verify  in DB2 SYSADM, SYSCTRL, SYSMON groups are set to DB2ADMNS

   db2 get dbm cfg

3. If they are not update groups:

db2 update dbm cfg using SYSMAINT_GROUP DB2ADMNS

db2 update dbm cfg using SYSCTRL_GROUP DB2ADMNS

db2 update dbm cfg using SYSMON_GROUP DB2ADMNS

db2 update dbm cfg using SYSADM_GROUP DB2ADMNS

4. Check that DB2_GRP_LOOKUP=TOKEN to make sure it works with domain account:

  db2set -all

5. To update this setting run:

db2set DB2_GRP_LOOKUP=TOKEN

6. Restart DB2 instance

7. Reset WAS profile : Open IID, right click on Server -> Manage Profiles -> Reset Profile

8. If Reset did not work delete profile, and all files in profiles directory and re-create the profile with PMT

Custom authorization in Datapower

We have an enterprise authorization web service integrated to our Datapower Appliance as a custom AAA step.Everything seemed to work fine but it was showing “authorization failed” all the time.

The simple trick was to  just to put the <approved/> node in the stylesheet and the resulting node tree in case of success..

Simple, but have to know …

From Datapower Authentication and Authorization Redbook :

- Custom template
Authorization might be managed through an XSL stylesheet. Two different outputs are also possible for this XSL:

• The <approved/> element, which means “authorization success” to the DataPowerAAA framework

• The <declined/> element, which means “authorization failure”

How to convert PFX certificate to JKS format

Use ikeyman.bat provided by IBM as  part of Websphere and other IBM products, or similar key management utility for your Java platform. It has capability to import PKCS12 certificates (which exactly what PFX is) and save it as Java Key Store.

Or Another possible way consists of 3 steps conversion: (prerequisite – having JDK installed on the machine) :

1.  Extract from PFX file key and cert in PEM format   

 openssl pkcs12 -nocerts -in %_PFXFILE% -out %_KEYPEM% -passin pass:%_PASSWD% -passout pass:%_PASSWD%    

openssl pkcs12 -clcerts -nokeys -in %_PFXFILE% -out %_CERTPEM% -passin pass:%_PASSWD

2.  Convert both cert and key from PEM to DER format     

 openssl pkcs8 -topk8 -nocrypt -in %_KEYPEM% -inform PEM -out %_KEYDER% -outform DER -passin pass:%PASSWD%

 openssl x509 -in %_CERTPEM% -inform PEM -out %_CERTDER% -outform DER

3. Use java code to combine Cert and Key to JKS store format 

java ImportKey %_KEYDER% %_CERTDER% %_KEYSTORE% %_ALIAS% %_JKSPASSWD%

To automate this process I have created batch utility you could use.
Download “How to convert PFX to JKS.doc” file from the right side bar Box.net widget, extract all the files in the attachement, and set JAVA_HOME to your JDK installation, then run the bat file:

>pfx2jks.bat <pfxFile> <pfxPassword> <JksPassword>

Where

pfxFile – pfx file you would like to convert
pfxPassword – password set on pfx file (provided to you along with pfx)
jksPassword – password you would like to set on JKS store

Here is the sample output:

C:\certtests\pfx2jks>set JAVA_HOME=c:\IBM\WID62\jdk

C:\certtests\pfx2jks>PFX2JKS.bat ..\certs\intesbtest.pfx xxxx  testjks

 Using JAVA_HOME: c:\IBM\WID62\jdk

Converting: C:\certtests\certs\intesbtest.pfx

To JKS store: C:\certtests\certs\intesbtest.jks

With Password: xxxx

MAC verified OK

Key extracted in PEM format

MAC verified OK

Cert extracted in PEM format

Key converted to DER format

Cert converted to DER format

Using keystore-file : C:\certtests\certs\intesbtest.jks

One certificate, no chain.

Key and certificate stored.

Alias:intesbtest Password:testjks

Java Keystore C:\certtests\certs\intesbtest.jks was created successfully….. with password testjks

More useful SSL information on http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Convert PFX certificate to PEM format

PEM format is widely used by PHP applications and by LoadRunner scripts. To convert PFX /PKCS12 formatted certificate use OpenSSL tool:

openssl pkcs12 -in c:\pathTo\cert.pfx -out c:\pathTo\cert.pem

 
Cool SSL site and tools https://www.sslshopper.com/ssl-converter.html

Renew certificate in Websphere keystore while retaining same alias

Renewing expired SSL certificates in Websphere in some cases is problematic. There are not many functions available for manipulating aliases in keystores using Websphere admin console. And if certificate alias is used throughout your infrastructure mappings – for example in SSL Configurations and web chains fixing the entries with new alias could be cumbersome. Below are few easy steps to renew/replace ssl certificate in keystore while retaining same alias. General idea is to manipulate keystore and truststore using iKeyman utility instead of websphere admin console.

1. Copy key.p12 and trust.p12 from Deployment Manager config (<DeploymentManager_profile\>config\cells\<cell_name>) to some separate backup directory
2. Start iKeyman.bat uitlity from \bin directory in Deployment manager profile
3. Open key.p12 from the backup directory and delete the certificate that you would like to replace in “Personal Certificates”
4. Now import the new obtained from CA certificate to keystore “Personal Cerificates”
5. When prompted to change label (it is GUID in case of Microsoft CA issuer), give it the same alias name as it was before. Click “Apply”, and “OK”
6. You will see the new certificate with proper alias in the list of “Personal Certificates”
7. Save the key.p12 file changes

Repeat same steps with trust.p12 file, but use .cer file instead of .pfx to import just public certificate part. And use “Signer Certificates”  folder instead of  “Personal Certificates”

Now that you have prepared both key.12 and trust.p12 files :

1.  Stop Deployment Manager\
2. Copy new key.p12 and trust.p12 files to Deployment Manager config (<DeploymentManager_profile\>config\cells\<cell_name>)
3. Start Deployment manager

And if you have option “Synchronize nodes on startup”  you are done and could verify the new certificates in Websphere console. If not just synchronize the nodes and they will get the updated key and trust files.

Lotus/Domino 8.5 WebService Provider manipulating SOAP Header

Similar to previous post Domino WebService Consumer manipulating SOAP Header WebService Provider in some cases have to read SOAP Header passed. It may process the header (e.g log it’s data) and send enhanced Header back along with response. To achieve that we have to add some code to inspect and inject SOAP Header to the payload. Steps are shown below.
Locate generated Web Service Stub with the methods prepared for implementation and access MessageContext to read and set Header:

public void echo()
{
MessageContext mc = MessageContext.getCurrentContext();
// get received SOAP Header
SOAPHeaderElement header = mc.getRequestMessage().getSOAPEnvelope().getHeaderByName(wsNamespace, "auth");

// manipulate header
…

// set new manipulated header to response
mc.getResponseMessage().getSOAPEnvelope().addHeader(header);
}