Enabling IBM HTTP Server for https communication

Step1

    a.) Create a keystore

    b.) Acquire a certificate or create a self signed certificate.

    Please refer any my previous blogposts mentioned below.

            Management with ikeycmd command

           Certificate Management The ikeyman way ..

           Useful keytool commands for certificate management

           Certificate Management by using gsk7cmd command



Step2

    Configure IHS to enable https communication


    a.) Open the IHS configuration file and add entries to load SSL modules


        LoadModule ibm_ssl_module modules/mod_ibm_ssl.so


    b). Add/Change the listening port


        Listen 443


    c.) Add below stanza for IHS to use the keystore created at step1 during https communication

            #SSL Configuration

            SSLEnable

            Keyfile <path of keyfile>/kefilename.kdb

 

        Note:- If you are adding above stanza inside a virtualhost, configuration will be specific to that virtualhost.

Step3

        Restart the IHS instance.

        Try accessing the URL prefixing https://


            Note:- If the certificate is self signed certificate, you need to add the signer  manually in your browser keystore, otherwise you will receive a certificate warning while accessing the URL.








Configuring mod_jk connector

Configuring mod_jk connector.


mod_jk is a plug-in which 

handles the communication between Apache and Tomcat.


Step1


    Update apache configuration file (httpd.conf) to load 

mod_jk module.


    Open the httpd.conf file and create below entry. Ensure 

that mod_jk.so file exists in the apache module directory.


    LoadModule jk_module module/mod_jk.so


Step2


    Configure worker.properties file path in apache 

configuration file.


    JkWorkersFile <Path>/workers.properties


    Configure mod_jk log path

    JkLogFile <path>/mod_jk.log


 Configure the mount point from a context to a Tomcat


worker


JkMount /test/* balancer


Step3


    Create and configure workers.properties file.

    Please note that the file should be created in the same 

path mentioned in step2


    #lb configuration


    worker.balancer.type=lb

    worker.balancer.balance_workers=worker1,worker2


    #worker1 configuration


    worker.worker1.type=ajp13

    worker.worker1.port=8009

    worker.worker1.host=<hostname of worker1>


    #worker2 configuration


    worker.worker2.type=ajp13

    worker.worker2.port=9009

    worker.worker2.host=<hostname of worker2>

WebSphere Application Server Plugin LogLevel

 

By default plugin uses LogLevel value as "Error". 

This can be changed for troubleshooting purpose.

Open the plugin-cfg.xml file and edit below marked value for changing the LogLevel.

<Log LogLevel="Error" Name="/opt/IBM/WebSphere/Plugin/logs/http_plugin.log"/>

You can use below values based on your need.


Trace     All of the the request processing steps in detail
Stats      Selected server for each request and load balancing information related to requests.
Warn     All warning and error messages.
Error     Only error messages.
Debug     Critical steps performed in request processing.
Detail     information about requests and responses.

Certificate management with ikeycmd command

 

Many tools are available to manage the certificates. ikeycmd is one of the powerful tool shipped with java for managing certificate.

 Below are few examples where you can utilize this command.

 

1.) Creating keydatabase file.

 ./ikeycmd -keydb -create -db /tmp/mykeydb.p12 -pw test@123 -type pkcs12

Above command creates a key database called mykeydb.p12

$ls -ltr /tmp/mykeydb.p12 


-rw-rw-r--. 1 techmech techmech 510 Sep 21 20:34 /tmp/mykeydb.p12

 

2.) Listing all certificates in a key database.

 $./ikeycmd -cert -list -db /tmp/mykeydb.p12 -pw test@123


No key was found in the key database.

Since we just created the db there will not be any certificate existing in the key database.

3.) Creating a Self Signed Certificate.

issue below command in single line.

$./ikeycmd -cert -create -db /tmp/mykeydb.p12 -pw test@123 -label tecmechcert -dn "CN=techmechanica.com,O=TechMechanica,OU=Training,L=Bangalore, ST=KA,ZIP=560001,C=IN" -size 2048

Above command creates a self signed certificate with provided details. Please note that the kesize will be 2048.

You can also provide details like below

 -sig_alg   -->  Algorithm

-san_dnsname  ---> SAN DNS name if any needed

-san_emailaddr  --> email address

To mark or not mark the certificate as default, add below switch to the command

-default_cert yes  ---> mark the certificate as default.

-default_cert no ---> if you dont want to mark it as default.

After issuing the command, certificate with above details will get added to the provided key database.

If you list the key database again you will see the newly created self signed certificate.

$./ikeycmd -cert -list -db /tmp/mykeydb.p12 -pw test@123
Certificates in database /tmp/mykeydb.p12:
   tecmechcert

4.) Listing certificate with specific label.

$./ikeycmd -cert -details -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123


Label: tecmechcert
Key Size: 2048

Version: X509 V3
Serial Number: 5F 68 C4 6D
Issued by: CN=techmechanica.com, O=TechMechanica, OU=Training, L=Bangalore, ST=KA, POSTALCODE=560001, C=IN
Subject: CN=techmechanica.com, O=TechMechanica, OU=Training, L=Bangalore, ST=KA, POSTALCODE=560001, C=IN
Valid: From: Monday, September 21, 2020 8:49:09 PM IST To: Tuesday, September 21, 2021 8:49:09 PM IST
Fingerprint:
    SHA1: 01:39:9B:46:A2:00:41:2B:37:BA:A5:40:E1:14:0D:63:7F:39:4F:F8
    SHA256: 40:63:77:0B:06:CB:2A:B8:4D:00:DA:81:31:23:7E:A0:0F:08:CF:AF:31:99:C9:64:89:CE:87:0E:B4:8F:FB:7E

Extensions: 
  - AuthorityKeyIdentifier: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 84 1b ea 6a cc bc 7d a0                           ...j....
]

]

  - SubjectKeyIdentifier: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 84 1b ea 6a cc bc 7d a0                           ...j....
]
]

Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Trust Status: enabled
----------------------------------------------

Please note that the above marked details are provided by you while creating the cerificate.

5.) Deleting the certificate.

Issue below command to delete a certificate with specified label

$./ikeycmd -cert -delete -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123

You will not be able to list the specified certificate as it does not exists in the key database 


$./ikeycmd -cert -details -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123

The database doesn't contain an entry with label 'tecmechcert'.

Check the label and try again.

 

6.) Creating CSR with ikeycmd

Below command will create a CSR and store the request in a file called myreq.csr. You can provide/upload it to the CA to get your certificate.

$./ikeycmd -certreq -create -db /tmp/mykeydb.p12 -pw test@123 -label tecmechcert -file /tmp/myreq.csr -dn "CN=techmechanica.com,O=TechMechanica,OU=Training,L=Bangalore, ST=KA,ZIP=560001,C=IN" -size 2048

7.) Listing existing CSR with a specified label.

$./ikeycmd -certreq -details -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123


Label: tecmechcert
Key Size: 2048
Subject: CN=techmechanica.com, O=TechMechanica, OU=Training, L=Bangalore, ST=KA, POSTALCODE=560001, C=IN

Fingerprint: 8E:EC:C8:4B:71:87:BA:8C:BE:86:B5:3C:A9:97:FA:00
Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5)
 

8.) To list all the certificate requests.

$./ikeycmd -certreq -list -db /tmp/mykeydb.p12 -pw test@123


Certificate requests in database /tmp/mykeydb.p12:
   tecmechcert

Since we have only one certificate request it will list only one request.

9.) Deleting certificate request

  Caution:- If you delete the CSR you will not be able to receive the CA issued certificate to the key database. Delete CSR only if you feel you have created an erroneous request.

$./ikeycmd -certreq -delete -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123

 Specific certificate request will get deleted from the key database file. You have to create another request and post it to CA to obtain your certificate

$./ikeycmd -certreq -details -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123

The database doesn't contain an entry with label 'tecmechcert'.

Check the label and try again.
 

10.) Adding the issued certificate to key database file.

After receiving the certificate from CA place the certificate file in any of the location and input that file details to the command.

$./ikeycmd -cert -add -file /tmp/mycert.cer -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123 

11.) Validating the certificate.

To validate the added certificate, issue below command.

 $./ikeycmd -cert -validate -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123


Validation successful.


 






 

WebSphere Application Server Dynamic Cluster - Part1


A dynamic cluster is an application server cluster which manages the work loads of cluster members automatically. Dynamic Cluster can expand or contract its cluster members based on the workload. Dynamic Clusters achieves this by using weight and performance information collected from the cluster members.

Dynamic Cluster - A Step by Step Guide
Below are the step by step guide for creating and verifying a Dynamic Cluster in WebSphere Application Server V9.

Note:- As we are using manual cluster creation method create a static cluster before configuring the Dynamic Cluster. If you need any assistance for creating a static cluster, please refer my previous blog post on this.
Configuring and Managing IBM WebSphere Application Server Cluster – Step by Step
  
Step1












Select "Dynamic Cluster" from WebSphere Application Server Console.

Step2










Click on "New", This will open Dynamic Cluster Wizard

Step3












Select "WebSphere Application Server" from the drop down list and click "Next"

Step4











Select the membership method as "Manually define clusters" and Click "Next"
Note:- Automatically defining cluster members will enable automatic provisioning, Details of it be discussed in a different blog post.
  
Step5












Select already created cluster from the drop down list and click "Next"

Step6















You will get above wizard to specify dynamic cluster properties. Most of them are self explanatory but let me try to throw some light here.


Minimum number of cluster instances

* If other dynamic clusters need resources, stop all instances of this cluster during periods of inactivity 

If this option is selected, When other Dynamic Cluster need resources, It enables the Dynamic Cluster manager to free up the resources of these cluster members by stopping all the instances.

Time to wait before stopping instances:

This specifies the wait time in minutes before stopping the instances 

Keep one instance started at all times

This enables to keep one instance up and running always.

Keep multiple instances started at all times

Here you can specify the number of instances to be up and running.


Maximum number of cluster instances

Limit the number of instances that can start

This specifies the maximum number of instances which can be started at a given point of time. ie. Any started instances above this value will be stopped automatically. 

Do not limit the number of instances that can start

This allows unlimited instances to be started. But ensure you have enough resources to accommodate the requirements.

Isolation preference

No isolation requirements 

This option specifies that the members don't have any isolation requirements.
 
Strict isolation 

This specifies the cluster member must be the only running process when started

Associate with isolation group
 Here you can specify an isolation group, members of that group can share the node.

 
Step7














Select the above two options for current scenario.

Step8











This show you the description of selected options.
Click on "Finish"

Step9









As I created a two member cluster before initiating the Dynamic Cluster configuration you can see that the Dynamic Cluster is created with two cluster members. 


Dynamic Cluster - Verification

Step1
 








If you check the above drop down list you will notice three values.
Currently the value is manual.

Manual :- This is as good as a static cluster.
Supervised:- Here you will get recommendations, you can either approve or reject the recommendations.
Automatic:- This option enables the intelligent management to take actions including provisioning requirements automatically.


Step2








Select "Automatic" from drop down list and press "Set Mode"

Step3
 








You can notice that the value got changed to "Automatic" instead of manual.
Click on the Cluster Name link, you will get below page.

Step4





















Select above two options. It will ensure one instance is always up and running where as second option limit the number of instances to one.
i.e it will not allow more than one instances of that cluster to be up and running simultaneously.


Step5











Click on "Dynamic Cluster Memeber" Link to see the status of cluster member.

Step6










You can notice from above figure that only one cluster member is up and the other one is down.

Step7












Now let us try to stop the running cluster member to test our dynamic cluster configuration.
Assumption is :- Intelligent management should ensure at least one cluster member to be up and running even if we stop all the members.
Note:- The starting/stopping will take some time, so you need to wait to get the actual status.

Step7









Note that the other cluster member got started automatically.
Here you can notice that even though the second cluster member was stopped earlier, Stopping first cluster member started the second cluster member automatically. It need not be the other (second) member always, Based on various factors intelligent management decides which member to be started.

Now it is your turn .....
I am giving you a scenario to test by yourself.
Please perform below test and record the results in comment.
Start the first (stopped) cluster member and wait for intelligent manager to take action. Observe the cluster member status. Analyze the status and let me know which configuration is enabling it. 






Disabling global security – Three ways

1.) Directly editing security.xml (Not recommended)

a.) Open the security xml file at dmgr profile config path (PROFILE_ROOT \config\cells\<cell_Name>\)
b.) Search for the first occurrence of the string “enabled” and change enabled=”false”
c.) Restart Dmgr.

Note:- If enabled is already false global security is not enabled.
Caution:- Take a backup of the file before editing the file.








2.) Using wsadmin commandline.

a.) Navigate to Dmgr bin path and enter into wsadmin prompt. (./wsadmin.sh).
b.) Enter the command securityoff().
c.) Restart the Dmgr process.

Note:- For JACL, use the JACL format ie. “securityoff”









3.) Through Admin Console.

a.) Login to Admin console.
b.) Navigate to “Global Security”.
c.) Deselect the “Enable administrative security” (if it is not selected, Global security is already disabled)
d.) Save & Sync.
e.) Restart the Dmgr.