WebSphere FAQs… you don’t ask because they might think you don’t know basics: Part-4

This is 4th part in this series.

The following is a link to IBM developerWorks article which covers many FAQs on security.

List of Questions

  1. When does WebSphere Application Server contact the registry for user
  2. Does WebSphere Application Server work with NIS?
  3. What are my options if I want to turn on security with a non-administrator account in a Windows environment?
  4. What are my options if I want to turn on security with a non-root server ID in a UNIX environment?
  5. Will Local OS authentication work in a distributed environment?
  6. My users authenticate with one userid but I want them to be identified with another ID from LDAP. Is that possible?
  7. When using a federated repository, is there a way to ensure that my file-based registry will continue to function when a LDAP server is down?
  8. Why do I need to enable SSO when using form-based login in my WebSphere Application Server application?
  9. I want to force my users to login again after a set “inactivity timeout” period. How is WebSphere Application Server supposed to work with regard to session timeouts and LTPA timeouts?
  10. Is there anything I can do to prevent my LTPA keys from becoming out of sync between my cells?
  11. Can a WebSphere Application Server cell span multiple DNS domains?
  12. Why is SWAM usage discouraged?
  13. When should I use a custom login module versus a TAI to assert identity information?
  14. How do I change my passwords (database, LDAP, and so on) without causing an outage?
  15. What WebSphere Application Server proprietary extensions provide for J2EE security?
  16. Does WebSphere Application Server support CA Siteminder?
  17. WebSphere Application Server stores passwords XOR encoded. I’d like to use something stronger. What can I do?
  18. How can I debug the Java 2 security exceptions and AccessControlExceptions?
  19. Is there any documentation available on how best to configure Microsoft Active Directory with WebSphere Application Server?

Link to document



WebSphere FAQs… you don’t ask because they might think you don’t know basics: Part-3

What is a ketstore?

A keystore is a database that contains private keys with their associated certificates. The keystore will be used for encrypting/signing something with your private key

What is A truststore ?

What is a Truststore contains certificates to trust like CA certs and remote server certs. Trust stores will be used mostly to authenticate remote servers etc.

What is root certificate?

a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority (CA). Digital certificates are verified using a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA).

A root certificate is the top-most certificate of the tree, the private key of which is used to “sign” other certificates. All certificates immediately below the root certificate inherit the trustworthiness of the root certificate. Certificates further down the tree also depend on the trustworthiness of the intermediates.

The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in the Internet browsers by their manufacturers. [From Wikipedia]

What is an intermediate certificate?

Trusted Root CA certificate can also be used to create another certificate, which in turn will then be used to issue SSL Certificates. So, an intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you. Such certificates are called chained root certificates. As the Intermediate Certificate is issued by the Trusted Root CA, any SSL Certificates issued by the Intermediate Certificate inherits the trust of the Trusted Root – effectively creating a certification chain of trust.

Why to use intermediate certificates?

There are mainly two advantages.

1) Creating certificates directly from the CA root certificate increases the risk of root certificate compromise, and if the CA root certificate is compromised, the entire trust infrastructure built by the SSL provider will fail. The usage of intermediate certificates for issuing SSL certificates to end entities, therefore, provides an added level of security.

2) Intermediates also help by constraining the size of the Certificate Revocation List (CRL) associated with a certificate product. By periodically rolling over the intermediate CA that signs the end entity certificates CRL’s are kept to a minimum. Maintaining optimal CRL sizes ensures that customers have a smooth and seamless experience visiting SSL-secured websites while full security is maintained transparently to customers/end users.

What is in-bound and out-bound on the SSL settings in websphere?

Simply imagine the bus routes in your city. They are named north-bound/souuth-bound etc.. Based on the direction they travel.

In websphere inbound/outbound does the same. They specify the direction of the SSL connection. Inbound represents all server endpoints that receive connection. Outbound represents all the client side connections from the carious servers within the cell.

What is a WebSphere application server release means?

Simply it is a new version. Like 6.0, 6.1, 7.0, 8.0 etc. These releases include major new function, archictural changes etc..

What is a refresh pack?

A refresh pack includes minor new features and fixes. Say 6.0.1 is a refresh pack for 6.0 and 6.0.2 is a refresh pack for 6.0.1. Say now you are applying refresh pack 6.0.2, it includes all the fueatures and fixes in 6.0.1 plus fixpack and interm fixes published for 6.0.1.  So a refresh pack is cumulative.

What is a fix pack?

A fix pack is a package of fixes. Fixpacks install on top of refresh packs or on top of previous packs. For example your present software version is 6.1.0 and you are applying, this is called fixpack and will also be called as fixpack 23 for 6.1.0. After applying this fixpack23, your server version will be

A fix pack uninstalls all interm fixes applied to the release since the lasr refresh pack or fixpack was installed. Therefore IBM suggests checking the list of delivered fixes to determine if an intermfix needs to be installed.
May not be correct but in other words, a fix pack is a package of fixes for a refresh pack.

What is fix/interim fix/Emergency fix etc..?

These are single fixes published to resolve/fix an product defect/known issue. The next release of fixpack will contain these interim/emergency fixes and you are expected to apply the new fix pack.

Note: The questions answered in this series are some of the questions i was asked through email from my blog subscribers/users. and questions in part-3 are asked a minimum of 3 times.

WebSphere FAQs… you don’t ask because they might think you don’t know basics: Part-2

1 what is a connection pool?

A connection pool is a cache of database connections maintained so that the connections can be reused when future requests to the database are required. Connection pools are used to enhance the performance of executing commands on a database. In connection pooling, after a connection is created, it is placed in the pool and it is used over again so that a new connection does not have to be established. If all the connections are being used, a new connection is made and is added to the pool. Connection pooling also cuts down on the amount of time a user must wait to establish a connection to the database.

2. What is virtual host in websphere application server?

Virtual host is a configuration not a physical one.  A configuration that lets a single machine resemble multiple host machines. Each virtual host has a logical name and a list of one or more DNS host aliases by which it is known.  By default, we wull have a default_house and admin_host virtual hosts defined in websphere application server.

3. how do i connect my application to talk to a database?

To achive this , you need to create a JDBC provider and datasource. The JDBC provider object encapsulates the specific JDBC driver implementation class for access to the specific vendor database of your environment. The data source object supplies your application with connections for accessing the database. The best way to learn more about this task is login to administration console –> guided activities –> connecting to a database.

4. How can i make sure that my servers are available while restarting a cluster?

Use the option ripplestart … It first stops and then restarts each member of the cluster.

5. I’ve made some changes to my applicaiton’s web.xml , how and where should i update this file?

You can do this from the administration console. Go to enterprise applications –>select your application and click update. on the next panel, you’ll have option to update the entire application, a single module or even a single file or multiple files.

Select the single file option and specify the file’s path you like to update. Specify a relative path to the file that starts from the root of the war/ear file. So it looks something like this: app1.war/WEB-INF/web.xml

6. How do i minimize the downtime while i’m updating the applications?

Use rollout update option. This option sequentially updates an application on multiple cluster members across a cluster. After you update an application’s files or configuration, click Rollout Update to install the application’s updated files or configuration on all cluster members of a cluster on which the application is installed.
Rollout update will save the application configurations then stops the cluster members on a node then syncs the configuration and stat the clusters members on that node. Then it proceeds to the next node and does the same steps.

7. We are getting a ‘class not found’ and developers like to know, if that class is being loaded or not. how can i assist them troubleshoot the issue?

WebSphere administration console has a utility using which you can see what classes are loaded at what scope for an application. Go to Troubleshooting –>class loader viewer and select the module.

8. We have some issue with our application server and we tried killing it using kill-9 command, the process disappeared for few seconds but it is back again. We did not start the server but it started. What would be the reason?

Servers > Application Servers > server_name. Then, under Server Infrastructure, click Java and Process Management > Process Definition > process > Monitoring Policy. Here we have an option Automatic Restart, this Specifies whether the process should restart automatically if it fails. On distributed systems, the default is to restart the process automatically.

9. Is there a way i can start my server along with nodeagent ?

Servers > Application Servers > server_name. Then, under Server Infrastructure, click Java and Process Management > Process Definition > process > Monitoring Policy. Here we have an option Node Restart State which specifies the desired behavior of the servers after the node completely shuts down and restarts.

  • STOPPED – node agent does not start the server.
  • RUNNING – the node agent always starts the server.
  • PREVIOUS – the node agent starts the server only if the server was running when the node agent stopped.

Note: The questions answered in this series are some of the questions i was asked through email from my blog subscribers/users.

Next FAQ session is a compilation of questions on SSL.

WebSphere FAQs… you don’t ask because they might think you don’t know basics: Part-1

Many times you don’t ask your doubts, because that question may make other people think that you are dumb or don’t know something. Here are some of the questions from that category

1. What is websphere?

The moment you ask this question, the first question that comes to mind is WebSphere application server. In reality, WebSphere is the name of a product family. IBM has many more products under the brand name WebSphere. WebSphere Application Server, WebSphere MQ, WebSphere Message broker, WebSphere business modeler, WebSphere process Server, WebSphere business monitor, WebSphere integration developer, WebSphere partner gateway are some of the products under this brand name.

2. What is a profile in websphere Application Server?

When you install WebSphere application server, executable files and configurations files are separated. This allows you install the product once and create multiple sets of configurations which use the same underlying core executables of the websphere application server installation. These are the profiles in websphere application server. As you know, there are many types of profiles and you can create multiple profiles.

3. What does nodeagent do in websphere Application Server?

We will have one nodeagnet per one node. The node agent acts as an mediator between the Deployment manmager and the node.

4. What is Sync in websphere Application Server?

WebSphere application server stores all the configuration data in one central location knows as ‘Master repository’. And every node/server will have the local configuration repository. The sycn process makes sure that the configuration in both local and master repositories are same and in-sync. The sync is a one dimensional process means; it will sync the configurations only from Master repository ==> local repository.

5. What is websphere plug-in for web server and where do i need to install the plug-in?

It is common practise to have web and app servers on different machines. WebSphere provides a plug-in which enables web server to talk to application server, this is known as web server plug-in. Web server plug-in will have a configuration file named plugin-config.xml which will have references to all the servers, clusters, applications, virtual hosts of the websphere application server. You can generate this configuration file from administration console, servers –>web servers. Select a web server and click generate plugin configuration file and then propagate the plugin. This plug-in needs to be installed on the web server machine

6. I don’t have WebSphere installed on my web server how do i add to the websphere administration console ?

If you like to add your web server to that WebSphere administration console, you can do that by creating a unmanaged node and then add from servers–>web servers

7. Do i need a web server if i have a websphere application server?

Web Server and WebSphere application server provide two different functionalities. WebSphere application server do has an inbuilt web server functionality but it is recommended to use a separate web server for many reasons. Some of them are: 1. By seperating web and application server activities, your application serving environment is more secure. 2. Using the webserver you can load balance the requests between multiple application servers.

8. How do edit/modify the property/configuration files?

It is recommended to modify all the configurations using the administration console. When you need to make any configuration changes, you need do the apply changes and sync them. Any changes you do at local repository level are discarded upon the next restart of that server because the sync is always from DMGR to local repository and changes are not saved to master repository. For example, if you edit a configuration file of server1 and restart it… the changes are lost. When the server starts it syncs the configuration from master repository.

9. What happens if my DMGR is not running?

DMGR is the single point of failure in WebSphere network deployment model. Even if DMGR is down, rest of the server will continue to run and serve the applications. However, any changes you make in this situation are not saved to master configuration repository.

10. I installed a new application, what do i need to do before i can access it from the web server URL?

When you install a new application or update an application, your web server needs to be aware of the changes. Which means you need to update the web server plug-in configuration file. So after a successful installation of an application with mapping to web server, you need to regenerate the plug-in configuration file and propagate it to web server.

WebSphere Application Server Questions (part-6)

1) What is the default user registry, if you enable Global Security at the time of installation
Its federated repositories…. actually it is a file

2) Which commands require username/password , if you enable admin security
all stop* , syncNode, addNode(?)

3) When can you enable global security?
– while installing
– After installation also

4) Does enabling admin security needs j2ee security to be enabled?

5) Does enabling admin security enables j2ee security?

6) What is the most important step to do, if you change your user repository.
recycle all the JVMs. otherwise the key tokens will not be updated for the new repo

7) who can change admin security settings?

8) what is the tool supplied by IBM for SSL management in Websphere

9) How do you change the cell wide SSL?

10) how do you replace the default plugin-key.kdb file with new kdb file?

11) can we use diffrent SSL for nodes and plugin ?

WebSphere Application Server Questions [part-5]

Tracing is when you go through an entire program and record the value of variables and the output. You trace a program when you want to find out what actually went wrong

it will be under Enterprise applications ->app name -> startup behaviour ->Startup order   in the admin console

I’m sure what they mean by code here. I think, incase of applications, export them from in DEC and deploy in TEST.

SSL are digital signed certificates. user for meesage/communication integrity and confidentiality.  Generally encrypt at Sender side and decrypt at receiver side

It is part of ITIL process….. simple explanation is, when there is a problem in ur WAS environment, which procedure do you follow.

First look at the logs for errors. If you find the error, save the logs and start ur application. Then start trouble shoot.
If no error found, run a trace and look for FFDC etc..

No relation. Heap settings should be made depends on application

admin console can be viewed from remote machine which has a browser, if not behind firewall.

A file descriptor is a handle created by a process when a file is opened. There is a limit to the amount of file descriptors per process.If the file descriptor limit is exceeded for a process, you may see the following errors:”Too Many Open Files”

check why there is port conflict
run updateports script in WAS

WebSphere Application Server Questions [part-4]

how do you create a cluster

go to servers -> clusters-> new ->give cluster_name->define first member->define other members->finish

how do you add a new cluster member
go to servers -> clusters->cluster_name ->cluster members ->new ->give name/node/others->apply->ok->save

one of the cluster member (jvm) is having issues. To troubleshoot the issue, you decided to take it out of the cluster. How do you do that?
Make its runtime weight to 0

In a complex environment, there are 10 machines. Machine A is having 8GB RAM and machine B having 2GB of RAM. The administrator decided to send twice as many request as machineB to machineA. How can he achive it?
give machineA twice the weight as machineB

After making some changes on a cluster, it is required to recycle/restart all the cluster JVMs. The lead admin told you to make sure that there should not be any downtime during this recycle. Which option do you use to achieve it?

A large application which has 5web modules has been deployed on to a cluster. After some months, the developer asked you to update on of the 5web modules. How do you do it?

can you change the cluster name, once it was created