Elena Neroslavskaya

We have an enterprise authorization web service integrated to our Datapower Appliance as a custom AAA step.Everything seemed to work fine but it was showing “authorization failed” all the time.

The simple trick was to  just to put the <approved/> node in the stylesheet and the resulting node tree in case of success..

Simple, but have to know …

From Datapower Authentication and Authorization Redbook :

- Custom template
Authorization might be managed through an XSL stylesheet. Two different outputs are also possible for this XSL:

• The <approved/> element, which means “authorization success” to the DataPowerAAA framework

• The <declined/> element, which means “authorization failure”

Renewing expired SSL certificates in Websphere in some cases is problematic. There are not many functions available for manipulating aliases in keystores using Websphere admin console. And if certificate alias is used throughout your infrastructure mappings – for example in SSL Configurations and web chains fixing the entries with new alias could be cumbersome. Below are few easy steps to renew/replace ssl certificate in keystore while retaining same alias. General idea is to manipulate keystore and truststore using iKeyman utility instead of websphere admin console.

1. Copy key.p12 and trust.p12 from Deployment Manager config (<DeploymentManager_profile\>config\cells\<cell_name>) to some separate backup directory
2. Start iKeyman.bat uitlity from \bin directory in Deployment manager profile
3. Open key.p12 from the backup directory and delete the certificate that you would like to replace in “Personal Certificates”
4. Now import the new obtained from CA certificate to keystore “Personal Cerificates”
5. When prompted to change label (it is GUID in case of Microsoft CA issuer), give it the same alias name as it was before. Click “Apply”, and “OK”
6. You will see the new certificate with proper alias in the list of “Personal Certificates”
7. Save the key.p12 file changes

Repeat same steps with trust.p12 file, but use .cer file instead of .pfx to import just public certificate part. And use “Signer Certificates”  folder instead of  “Personal Certificates”

Now that you have prepared both key.12 and trust.p12 files :

1.  Stop Deployment Manager\
2. Copy new key.p12 and trust.p12 files to Deployment Manager config (<DeploymentManager_profile\>config\cells\<cell_name>)
3. Start Deployment manager

And if you have option “Synchronize nodes on startup”  you are done and could verify the new certificates in Websphere console. If not just synchronize the nodes and they will get the updated key and trust files.

We recently encountered problems trying to import certificate generated by our local Enterprise Microsoft CA Server to Websphere Server. Both importing from WAS console and through ikeyman.bat gave errors: “Database is corrupted” and “Could not open keystore“.

Trying to see the content of this PFX file using keytool
\java\jre\bin>keytool -list -v -keystore test.pfx -storetype pkcs12 -storepass test

Also ended up in error “java.io.IOException: Error in loading the keystore: Private key decryption error: (java.security.InvalidKeyException: Illegal key size)

The issue appeared to boil down to a problem with the Java security policy files and thier ‘restricted’ and ‘unrestricted’ flavours and the size of the keys used by our local CA.

Downloading the unrestricted JCE policy files for IBM JVM 1.4.2+ (US_export_policy.jar and local_policy.jar) and replacing them in WAS JVM worked like a charm.

Resolution steps for WAS 6.1:

• Go to the developerWorks Java Technology Security page at URL: Java Technology Security
• Click on the “J2SE 5.0″ link for WebSphere Application Server 6.1.xx
• Scroll down on the resulting page and click on the “IBM SDK Policy files” link.
• Select “Unrestricted JCE Policy files for SDK for all newer versions 1.4.2+” and download them
• Extract the local_policy.jar and US_export_policy.jar files from the unrestricted.zip archive.
• Stop the application server
• Back up the local_policy.jar and US_export_policy.jar files located in the following directory: \java\jre\lib\security\
• Place the new files, previously downloaded to \java\jre\lib\security\
• Start the server

Now you will be able to open it with ikeyman and from admin console

Recently we have encountered Memory problems running Websphere wsadmin based scripts.

We were trying to retrieve large amount of CBE events from WESB using eventquery.bat script and default 256K memory settings were easily exhausted.

Our first option was to find in wsadmin.bat the line shown below and increase it

set PERFJAVAOPTION=-Xms256m -Xmx256m -Xj9 -Xquickstart

 But of course we wanted somewhat more elegant solution and came by the following IBM Tech Note, with the ‘javaoption’ parameter described:

http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&uid=swg1PQ73288

 Instead of modyfing wsadmin.bat file passing ‘javaoption’ parameters worked perfectly

wsadmin.bat   -javaoption –Xms256m -javaoption –Xmx768m .. rest of parameters…

or in event query case:

eventquery.bat   -javaoption –Xms256m -javaoption –Xmx768m .. rest of parameters…

Passwords stored in Websphere Server configuration files actually could be decoded
http://robertmaldon.blogspot.com/2006/07/recovering-passwords-from-websphere.html

for the Websphere ESB 6.1 that runs on top of WAS 6.1.17 the actual comand is:
\IBM\WebSphere\ESB\deploytool\itp\plugins\com.ibm.websphere.v61_6.1.200>\IBM\WebSphere\ESB\java\bin\java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder {xor}booqL2sSOm0=encoded password == “{xor}bWcqL2sSOm0=”, decoded password == “hello”

And a very nice online password decoder
http://www.sysman.nl/wasdecoder/

The new WID 6.1.2 hides plugin installation by default. I was looking for usual Eclipse menu Help->Software Updates->Find and Install to point to Site for installing the plugin, but it disappead. The trick was to switch from the default “Business Integration” perspective to “Resources” and then “Software Updates” are back and working.

Of course other ways of copying jars to features/plugins and links are still working, but the managed updates via Eclipse seems to be more elegant way. (http://www.venukb.com/2006/08/20/install-eclipse-plugins-the-easy-way/)

Collection of useful SOA and general plugins:

1. Subclipse plugin installation instructions : Subversion integartion
   http://subclipse.tigris.org/install.htmlhttp://www-128.ibm.com/developerworks/opensource/library/os-ecl-subversion/
2. SoapUI Plugin – Web Service Testing
   http://www.soapui.org/eclipse/index.html
3. BIRT Plugin – useful for Tivoli Common Reporting on SOA infrastructure
   http://www.eclipse.org/birt/phoenix/
4. WSRR Plugin – Webservice registry and repository plugin
   http://publib.boulder.ibm.com/infocenter/sr/v6r2/index.jsp?topic=/com.ibm.sr.doc/twsr_plugininstall.html

There is a handy WASService command available in WAS_ROOT\bin allowing Websphere Application Server 6.1 integration with Windows Services.

Samples and documentation on IBM InforCenter – WASService Command

For WAS with security enabled first thing we encountered was a failure to stop WAS service from service console.

   RoleBasedAuth E   SECJ0306E: No received or invocation credential exist on the thread. … The stack trace  is java.lang.Exception: Invocation and received credentials are both null

To mitigate the problem add “stopArgs” parameters specifying username and password. In addition to make storing of passord more secure specify “-encodeParams” and password will be stored in registry in non readable format.

WASService.exe -add “DEV01N01″ -serverName server1 -profilePath C:\IBM\pf\ESB\DEV01N01 -stopArgs “-username userA -password passwordXXX” -encodeParams

After battling WID 6.1.2 start up,  few more problems come up during migration of mediation projects to the new WID 6.1.2

1. WebService export binding does not regenerate the binding servlet in descriptors even after the full clean and rebuild. The error received when sending SOAP

               Error 404: SRVE0190E: File not found: /sca/WebService

Basically the web.xml was missing servlet mapping

<servlet id=”WebService_WebServicePortTypeHttpPort“>

     <display-name>Web Services Router Servlet for SCA</display-name>

     <servlet-name>WebService_WebServicePortTypeHttpPort</servlet-name>

      <servlet-class>com.ibm.ws.webservices.engine.transport.http.WebServicesServlet</servlet-class>

 </servlet>

  <servlet-mapping>

      <servlet-name>WebService_WebServicePortTypeHttpPort</servlet-name>

      <url-pattern>sca/WebService</url-pattern>

  </servlet-mapping>

 The easiest way for WID to regenerate the web.xml properly was  to “Replace the Binding” on the Export.

2. Web Service Import binding does not regenerate the EJB references in descriptors after full clean and rebuild. Getting the following exeption while testing the mediation module:

com.ibm.websphere.sca.ServiceRuntimeException: Resource
java:comp/env/sca/import/SOAServicesInterfacePartner cannot be resovled.:
caused by: javax.naming.NameNotFoundException: Name comp/env/sca not found in  context “java:”.

 This problem looks pretty much the same as in IBM support note:

http://www-1.ibm.com/support/docview.wss?rs=203&context=SW000&dc=DA410&dc=DA450&dc=DA430&dc=DA440&dc=D600&dc=D700&dc=DB510&dc=DB520&dc=D800&dc=D900&dc=DA900&dc=DA800&dc=DB540&dc=DB400&dc=DB560&dc=DB530&dc=DA600&dc=DB550&dc=D100&dc=DA420&dc=DA460&dc=DB300&dc=DA470&dc=DA480&dc=DB100&dc=DA4A10&dc=DA4A20&dc=DA700&dc=DA4A30&dc=DA400&dc=DA100&dc=DA500&dc=D200&dc=DB700&dc=DB600&q1=JR24087&uid=swg1JR24087&loc=en_US&cs=UTF-8&lang=all

The following ejb reference is misssing in ejb-jar.xml:

<service-ref>

        <description>SOAServicesInterfacePartner</description>

        <service-ref-name>sca/import/SOAServicesInterfacePartner</service-ref-name>

        <service-interface>javax.xml.rpc.Service</service-interface>

         <wsdl-file>META-INF/wsdl/validateUser.wsdl</wsdl-file>

          <jaxrpc-mapping-file>META-INF/validateUser_mapping.xml</jaxrpc-mapping-file>

          <service-qname xmlns:pfx=”urn:com:deloitte:pim:soa“>pfx:SOAServices</service-qname>

         <handler>

               <display-name>SCA Service Import Handler</display-name>

               <handler-name>ServiceImportHandler</handler-name>

               <handler-class>com.ibm.wsspi.sca.webservice.jaxrpc.ServiceImportHandler</handler-class>

          </handler>

    </service-ref>

 the same trick with refactoring the name of the import did not work – looking for workaround ….

The root cause for both problems were presense of Soap 1.2 bindings in .NET Web Service WSDL. Disabling Soap 1.2 did the trick…

Related Posts

• WID 6.1.2 launch problem
• Disable Soap 1.2 in .NET ASMX

Having to migrate to Vista, I took this opportunity to upgrade my Websphere Integration Developer to the latest and greatest WID 6.1.2 just released by IBM. And the first immediate problem I’ve encoutered – it just would not startup! Every try to start WID gets the error with printout of all the startup parameters:

JVM termintaed. Exit code =1
…\javaw.exe
-quickstart
-Xms512m
…

I have scanned all the newsgroups – apparently this problem existed before this release in other IBM and Eclipse based products. IBM support site suggests it may be due to the java cache and -Xshareclasses flag:

Rational Software Development Platform desktop product fails to launch

And numerous newsgroups publishing workarounds:
Java Ranch

The solution for the new WID 6.1.2 was to clear out eclipse.ini from all the arguments leaving only 2 lines specifying the jdk to call:

-vm
C:\IBM\WID61\jdk\jre\bin\javaw.exe

And Wow – it’s starting up.

I have played with all the parameters by adding/removing them from eclipse.ini and the offending one was – Xmx1024m, specifying the maximum java heap. (decreasing it to 512m – helped in my case) Looks like launcher tries to start up few java processes and exhausted the RAM available on the laptop.

Anyways just clear out eclipse.ini and leave 2 line – it will work with defaults.

Websphere Application Server has a nice utility to check Fixpacks and iFixes installed in the system

• <WAS_ROOT>/bin/versionInfo.bat  -maintenancePackages

It will print all the version details and information on Fixpacks.

More on versionInfo options:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/rins_versionInfo.html