Tuesday, October 30, 2012

WAS: Configure Secure File Transfer

 Configure Secure File Transfer


The filetransferSecured application shall be installed to ensure that the deployment manager only responds to file transfer requests from trusted servers in the cell, when it communicates configuration updates to node agents.

The commands to install the filetransferSecured application (if not already installed as part of default) are:

Ø              cd <profilehome>\bin
Ø              wsadmin.bat -user <wasadminuser> -password <waspassword>
Ø              wsadmin> source ../../../bin/redeployFileTransfer.jacl
Ø              wsadmin>fileTransferAuthenticationOn <your cell name> <dmgr node name> dmgr
Ø              wsadmin>$AdminConfig save

This will ensure that configuration updates are legitimate and eliminates the risk of configuration settings getting compromised.
To determine the current state of the file transfer authentication, see the systemapps.xml file in the <WAS_INSTALL_DIR>/AppServer/profiles/<PROFILE>/config/cells/cell_name/nodes/node_name directory:

·         This entry indicates that authentication is on:

<deployedApplications>${app_server_root}/
   systemApps/filetransferSecured.ear</deployedApplications>

·         This entry indicates that authentication is off:

<deployedApplications>${app_server_root}/
   systemApps/filetransfer.ear</deployedApplications>
Posted by at No comments:

Thursday, October 25, 2012

WAS: enable JVM trace

1. Add both of the following Generic JVM Arguments in the WebSphere     
Admin Console:                                                          
                                                                        
-Xtrace:none -Xtrace:maximal=mt,methods={com/ibm/jsse2/SSLSocketImpl.<init>} -Xtrace:trigger=method{com/ibm/jsse2/SSLSocketImpl,jstacktrace} -Xtrace:stackdepth=25,output={sslsockettrace,50m} -Xdump:system:events=systhrow,filter=java/lang/OutOfMemoryError                                       
                                                                        
The use of -Xtrace:none at the beginning turns off the default Java     
trace, which can be verbose. This allows us to see the java stack traces
we want more clearly in the trace file.                                 
                                                                        
2. This setting is expected to produce a binary trace file named        
sslsockettrace. Once the OOM has been reproduced, please format the     
binary trace created from the argument above by issuing the following   
command from the WPS install root/java/bin directory. Here's an example:
                                                                        
D:/IBM/WPS/java/bin/java com.ibm.jvm.format.TraceFormat sslsockettrace  
                                                                        
3. Then send in the formatted file, which will be named:                
                                                                        
sslsockettrace.fmt          
Posted by at No comments:

Tuesday, October 23, 2012

PCT/WCT Logs

The following configuration files and logs should be collected to investigate
failures related to PCT configuration actions. This includes problems with the
execution of the underlying ant scripts, utilization of input parameters, creation
of the IBM HTTP Adminstration Service (windows), creation of the
configurewebserver(x).bat, etc..
LOGS:
1. WebServerPluginConfiguration.log
2. wct.log
3. configure_<WEBSERVER_TYPE>_webserver.log
4. install<WEBSERVER_TYPE>Plugin.log
5. IHSAdminConfiguration.log (if configuring IBM HTTP Administration Server)
Posted by at No comments:

Friday, October 19, 2012

Certificate: Load certificate into Java JRE Key Store

keystore default password is changeit
1. change folder to $JAVA_HOME/jre/lib/security using user root
# cd $JAVA_HOME/jre/lib/security
2. backup cacerts
3. aquire certificate will be imported as /var/tmp/my-root-cert.cert
4. import it into cacerts
# keytool -import -alias MY-ROOT-CERT -keystore cacerts -file /var/tmp/my-root-cert.cert
5. verify the imported certificate
# keytool -list -v -keystore cacerts
Alias name: my-root-cert
Creation date: 19-Oct-2012
Entry type: trustedCertEntry
Owner: O=MY, C=CA
Issuer: O=MY, C=CA
Serial number: 4eb0261b
Valid from: Tue Nov 01 12:32:27 EDT 2011 until: Sat Nov 01 13:02:27 EDT 2031
Certificate fingerprints:
         MD5:  97:F6:B9:70:6B:FA:A6:BD:B9:17:52:77:2E:E7:AC:11
         SHA1: D6:CF:7E:5A:BD:6A:76:EF:54:7D:95:B0:EC:4E:80:B1:62:9D:61:A1
or
#  keytool -list -v -keystore cacerts -alias my-root-cert
Posted by at No comments:

Thursday, October 18, 2012

Power Path: Linux to discover new LUN


1. display existing LUN using powermt command

# powermt display dev=all

save the output to compare later

2. list disks using command fdisk
# fdisk -l > /tmp/b4scan.txt

3. force system to scan new LUN
# echo - - - > /sys/class/scsi_host/host0/scan

4. list disks using command fdisk
# fdisk -l > /tmp/afterscan.txt

5. diff /tmp/afterscan.txt and /tmp/b4scan.txt to check if any new disk discovered.
# diff /tmp/afterscan.txt /tmp/b4scan.txt

6. force power path to rescan
# powermt config

7. verify if the new LUN discovered.
Posted by at No comments:

Tuesday, October 16, 2012

WAS Development: Get Started with WAS ND 8.5 Liberty Profile

Get started with WAS Liberty Profile
https://www.ibm.com/developerworks/mydeveloperworks/blogs/wasdev/entry/getting_started_with_the_was_liberty_profile?lang=en&re=wasdevrn
Prepare Environment
https://www.ibm.com/developerworks/mydeveloperworks/blogs/wasdev/entry/download_wlp?lang=en

Eclipse Modeling Tools
 http://www.eclipse.org/downloads/

Eclipse Modeling Tools Tutorial
http://www.vogella.com/articles/EclipseEMF/article.html


UML
http://www.eclipse.org/modeling/mdt/uml2/docs/articles/Getting_Started_with_UML2/article.html
Posted by at No comments:

Monday, October 15, 2012

WebSphere: PCT command line

Problem:
wctcmd.bat -tool pct -defLocPathname "C:\Program Files (x86)\IBM\WebSphere\Plugins" -defLocName webserver1 -response C:\apps\dmgr.rsp


Launching tool pct ...
com.ibm.wsspi.profile.WSProfileException: File wasprofile.properties could not be located.

Resolution:

The solution to the problem is to use  "double" backward-slashes to replace the single backward-slashes in the paths in your response file. e.g,  d:\windows\a --> d:\\windows\\a

i.e.:

configType=local_distributed
enableAdminServerSupport=true
enableWinService=true
ihsAdminPort=8008
ihsWindowsStartupType=auto
mapWebServerToApplications=true
profileName=Dmgr01
wasExistingLocation=C:\\Program Files (x86)\\IBM\\WebSphere\\AppServer
wasMachineHostName=WASABCCWDVAPP02
webServerConfigFile1=C:\\Program Files (x86)\\IBM\\HTTPServer\\conf\\httpd.conf
webServerDefinition=webserver1
webServerHostName=WASABCCWDVAPP02.goweekend.ca
webServerInstallArch=32
webServerPortNumber=80
webServerSelected=ihs
webServerType=IHS
Posted by at No comments:

Friday, October 12, 2012

Solaris 10: Find LUN id

Step 1. Use format command to find your disk.

      12. c4t60060480000190105493533033443843d0 <EMC-SYMMETRIX-5773 cyl 65533 alt 2 hd 120 sec 269>
          /scsi_vhci/ssd@g60060480000190105493533033443843

Step 2. Find Logical Path of the disk

# luxadm probe|grep c4t60060480000190105493533033443843d0
    Logical Path:/dev/rdsk/c4t60060480000190105493533033443843d0s2

Step 3. Get Device Address
# luxadm display /dev/rdsk/c4t60060480000190105493533033443843d0s2
DEVICE PROPERTIES for disk: /dev/rdsk/c4t60060480000190105493533033443843d0s2
  Vendor:               EMC    
  Product ID:           SYMMETRIX      
  Revision:             5773
  Serial Num:           105493"R0
  Unformatted capacity: 1035787.500 MBytes
  Read Cache:           Enabled
    Minimum prefetch:   0x0
    Maximum prefetch:   0xffff
  Device Type:          Disk device
  Path(s):
  /dev/rdsk/c4t60060480000190105493533033443843d0s2
  /devices/scsi_vhci/ssd@g60060480000190105493533033443843:c,raw
   Controller           /devices/pci@500/pci@0/pci@9/SUNW,qlc@0/fp@0,0
    Device Address              50060482d531e552,335    Host controller port WWN    21000024ff3019ea
    Class                       primary
    State                       ONLINE
   Controller           /devices/pci@500/pci@0/pci@9/SUNW,qlc@0,1/fp@0,0
    Device Address              50060482d531e558,335    Host controller port WWN    21000024ff3019eb
    Class                       primary
    State                       ONLINE
Posted by at No comments:

Thursday, October 11, 2012

Solaris 10 HBA & NIC

bash-3.00# cfgadm -al -o show_SCSI_LUN
Ap_Id                          Type         Receptacle   Occupant     Condition
c2                             fc-fabric    connected    configured   unknown
c2::5006016646e04c1b,0         disk         connected    configured   unknown
c2::5006016646e04c1b,1         disk         connected    configured   unknown
c2::5006016c46e04c1b,0         disk         connected    configured   unknown
c2::5006016c46e04c1b,1         disk         connected    configured   unknown
c2::50060482d531e552,0         disk         connected    configured   unknown
c2::50060482d531e552,821       disk         connected    configured   unknown
c2::5006048ad52ea508,263       disk         connected    configured   unusable
c3                             fc-fabric    connected    configured   unknown
c3::5006016446e04c1b,0         disk         connected    configured   unknown
c3::5006016446e04c1b,1         disk         connected    configured   unknown
c3::5006016e46e04c1b,0         disk         connected    configured   unknown
c3::5006016e46e04c1b,1         disk         connected    configured   unknown
c3::50060482d531e558,0         disk         connected    configured   unknown
c3::50060482d531e558,821       disk         connected    configured   unknown
c3::5006048ad52ea507,263       disk         connected    configured   unusable

prtconf -D

                network, instance #0 (driver name: nxge)
                network, instance #1 (driver name: nxge)
                network, instance #2 (driver name: nxge)
                network, instance #3 (driver name: nxge)
bash-3.00# dladm show-dev
nxge0           link: up        speed: 100   Mbps       duplex: full
nxge1           link: up        speed: 1000  Mbps       duplex: full
nxge2           link: up        speed: 1000  Mbps       duplex: full
nxge3           link: unknown   speed: 0     Mbps       duplex: unknown
bash-3.00# dladm show-link
nxge0           type: non-vlan  mtu: 1500       device: nxge0
nxge1           type: non-vlan  mtu: 1500       device: nxge1
nxge2           type: non-vlan  mtu: 1500       device: nxge2
nxge3           type: non-vlan  mtu: 1500       device: nxge3
aggr1           type: non-vlan  mtu: 1500       aggregation: key 1

bash-3.00# fcinfo hba-port
HBA Port WWN: 21000024ff3019ea
        OS Device Name: /dev/cfg/c2
        Manufacturer: QLogic Corp.
        Model: 375-3356-02
        Firmware Version: 05.03.02
        FCode/BIOS Version:  BIOS: 2.02; fcode: 2.01; EFI: 2.00;
        Serial Number: 0402H00-1028846443
        Driver Name: qlc
        Driver Version: 3.00p
        Type: N-port
        State: online
        Supported Speeds: 1Gb 2Gb 4Gb
        Current Speed: 2Gb
        Node WWN: 20000024ff3019ea
HBA Port WWN: 21000024ff3019eb
        OS Device Name: /dev/cfg/c3
        Manufacturer: QLogic Corp.
        Model: 375-3356-02
        Firmware Version: 05.03.02
        FCode/BIOS Version:  BIOS: 2.02; fcode: 2.01; EFI: 2.00;
        Serial Number: 0402H00-1028846443
        Driver Name: qlc
        Driver Version: 3.00p
        Type: N-port
        State: online
        Supported Speeds: 1Gb 2Gb 4Gb
        Current Speed: 2Gb
        Node WWN: 20000024ff3019eb
bash-3.00# prtconf -vp | grep -i wwn
                    node-wwn:  20000024.ff3019ea
                    port-wwn:  21000024.ff3019ea
                    node-wwn:  20000024.ff3019eb
                    port-wwn:  21000024.ff3019eb
# prtpicl -v | grep wwn
:node-wwn  20  00  00  1b  32  xx  xx  xx
:port-wwn  21  00  00  1b  32  xx  xx  xx
:node-wwn  20  01  00  1b  32  yy  yy  yy
:port-wwn  21  01  00  1b  32  yy  yy  yy
bash-3.00# luxadm -e port
/devices/pci@500/pci@0/pci@9/SUNW,qlc@0/fp@0,0:devctl              CONNECTED
/devices/pci@500/pci@0/pci@9/SUNW,qlc@0,1/fp@0,0:devctl            CONNECTED


ndd
kstat


       8. c2t50060482D531E552d0 <EMC-SYMMETRIX-5773 cyl 1 alt 2 hd 15 sec 128>
          /pci@500/pci@0/pci@9/SUNW,qlc@0/fp@0,0/ssd@w50060482d531e552,0
       9. c3t50060482D531E558d0 <EMC-SYMMETRIX-5773 cyl 1 alt 2 hd 15 sec 128>
          /pci@500/pci@0/pci@9/SUNW,qlc@0,1/fp@0,0/ssd@w50060482d531e558,0
      10. c4t60060160C5302E0024E16D0B8177E111d0 <DGC-VRAID-0531 cyl 52214 alt 2 hd 255 sec 189>
          /scsi_vhci/ssd@g60060160c5302e0024e16d0b8177e111
      11. c4t60060480000190102164533030363039d0 <drive not available>
          /scsi_vhci/ssd@g60060480000190102164533030363039
      12. c4t60060480000190105493533033443843d0 <EMC-SYMMETRIX-5773 cyl 65533 alt 2 hd 120 sec 269>
          /scsi_vhci/ssd@g60060480000190105493533033443843
Posted by at No comments:

Wednesday, October 10, 2012

Aggregate multiple NIC’s with dladm in Solaris 10

February 24th, 2009 in COMPUTE | leave a response
ARTICLE UPDATED 05/22/2009 — Update at bottom of the page.
Likely old news to many of you, but dladm is pretty slick.
A company that I work with has some Sun X4500 boxes that they use for various tasks. The X4500, also known as Thumper, shipped with four e1000g interfaces and 24TB or 48TB of raw storage, all in a 4U 160 pound box. Though discontinued by Sun and replaced with the nicer x4540 box these old Thumpers are fine machines.
Recently I found the need to use three of the four interfaces for a larger pipe to a Cisco switch that allows port aggregation. The reasons for doing this or for using 3 ports are not really important, in your environment you might do things differently. After the box was racked and cabled the switch was configured for the ports used.
Moving on to the server, I was amazed at how simple it was to bond the three interfaces together in Solaris 10 using the dladm command.
On this hardware the devices were e1000g0 — > e1000g3:
The man page for dladm contained all I needed to get started.
First, a look at the devices. (switch ports were disabled at this time.)

root@thumper2 # dladm show-dev
e1000g0 link: down speed: 0 Mbps duplex: half
e1000g1 link: unknown speed: 0 Mbps duplex: half
e1000g2 link: unknown speed: 0 Mbps duplex: half
e1000g3 link: unknown speed: 0 Mbps duplex: half
To create an aggregate with the three devices and give it an integer as the aggregate instance the command was simply:

root@thumper2 # dladm create-aggr -d e1000g0 -d e1000g1 -d e1000g2 1
dladm: create operation failed: Device busy (invalid interface name)
root@thumper2 # ifconfig e1000g0 unplumb
root@thumper2 # dladm create-aggr -d e1000g0 -d e1000g1 -d e1000g2 1
root@thumper2 #
You can see from the output above that the devices must not be in use, e1000g0 was so the dladm command failed. That should be expected. Though e1000g0 had already been configured with an IP address, I was connected to the thumper via our Lantronix serial console. It would be unwise to unplumb the interface you came in on.
At this point ifconfig -a should not show anything (unless you have other devices or you’ve configured e1000g3, etc.).
Initially the switch ports were disabled at the Cisco, they were up for the following look at the aggregate created above.

root@thumper2 # dladm show-aggr
key: 1 (0x0001) policy: L4 address: 0:14:4f:ff:ff:ff (auto)
device address speed duplex link state
e1000g0 0:14:4f:ff:ff:ff 1000 Mbps full up attached
e1000g1 0:14:4f:ff:ff:ff 1000 Mbps full up attached
e1000g2 0:14:4f:ff:ff:ff 1000 Mbps full up attached
Your MAC addresses will not look like the modified example.
We can now see what appears to be a new device, the list shows all of the link devices. The one we are interested in is aggr1.

root@thumper2 # dladm show-link
e1000g0 type: non-vlan mtu: 1500 device: e1000g0
e1000g1 type: non-vlan mtu: 1500 device: e1000g1
e1000g2 type: non-vlan mtu: 1500 device: e1000g2
e1000g3 type: non-vlan mtu: 1500 device: e1000g3
aggr1 type: non-vlan mtu: 1500 aggregation: key 1
root@thumper2 #
All that is needed is to plumb up the interface (aggr1) and we are good to go.

root@thumper2 # ifconfig aggr1 plumb 192.168.1.2 netmask 255.255.255.0 up
root@thumper2 # ifconfig aggr1
aggr1: flags=1000843 mtu 1500 index 3
inet 192.168.1.2 netmask ffffff00 broadcast 192.168.1.255
ether 0:14:4f:fff:ff:ff
root@thumper2 #
root@thumper2 # ping thumper4
thumper4 is alive
root@thumper2 #
Make sure to rename /etc/hostname.e1000g0 to /etc/hostname.aggr1 if you want the machine to be available on the network after a reboot.
Nice, it just works!
Now to do some testing….film at 11.
Update 030909:
I forgot to mention that I’ll be trying this out with JumboFrames enabled (and disabled). To get there I’ve found better results with editing /kernel/drv/e1000g.conf then by using ndd. Same holds true for when you are forced to disable auto-negotiation and hard code the media settings. Have a look at /kernel/drv/e1000g.conf, comments in the file are sufficient.
Example entry for JumboFrames follows:
MaxFrameSize=3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3;
If you want to hardcode media/duplex e1000g you can edit /kernel/drv/e1000g.conf and reboot.
Update 052209:
After testing some zfs send / zfs rcv transfers from another thumper (using mbuffer) I decided to set LACP mode to active (both on the switch and the server).
Here is the info on how that was done.

[root@thumper2:~]# dladm modify-aggr -PL2 -l active 1
[root@thumper2:~]#
[root@thumper2:~]# dladm show-aggr -L
key: 1 (0x0001) policy: L2 address: 0:14:4f:99:99:99 (auto)
LACP mode: active LACP timer: short
device activity timeout aggregatable sync coll dist defaulted expired
e1000g0 active short yes yes yes yes no no
e1000g1 active short yes yes yes yes no no
e1000g2 active short yes yes yes yes no no
[root@thumper2:~]#
The switch involved runs CatOS and the following command is what was used there (for the ports 5/5 -> 5/7). This impacts the whole module so consider this carefully before pressing enter :)

set port lacp-channel 5/5,5/6,5/7 mode active
When time permits I’ll post some transfer times using mbuffer,rsync, etc.
Posted by at No comments:

Tuesday, October 2, 2012

Cleaning up the Operating System device tree after removing LUNs - Solaris 10 example

http://sfdoccentral.symantec.com/sf/5.0MP3/solaris/html/vxvm_admin/ch02s24s03.htm

Cleaning up the Operating System device tree after removing LUNs - Solaris 10 example

You must clean up the device tree after removing LUNs. The OS commands may vary for Solaris versions. This procedure uses Solaris 10 with Leadville stack as an example.
Contact Sun Support if any of the steps in this section fail to produce the wanted results.
To clean up the device tree after you remove LUNs
  1. The removed devices show up as drive not available in the output of the format command: 
    413. c3t5006048ACAFE4A7Cd252 <drive not available>
        /pci@1d,700000/SUNW,qlc@1,1/fp@0,0/ssd@w5006048acafe4a7c,fc
  2. After the LUNs are unmapped using Array management or the command line, Solaris also displays the devices as either unusable or failing.
    bash-3.00# cfgadm -al -o show_SCSI_LUN | grep -i unusable
  c2::5006048acafe4a73,256   disk  connected  configured unusable
  c3::5006048acafe4a7c,255   disk  connected  configured unusable
    bash-3.00# cfgadm -al -o show_SCSI_LUN | grep -i failing
  c2::5006048acafe4a73,71    disk  connected configured  failing
  c3::5006048acafe4a7c,252   disk  connected configured  failing
  3. If the removed LUNs show up as failing, you need to force a LIP on the HBA. This operation probes the targets again, so that the device shows up as unusable. Unless the device shows up as unusable, it cannot be removed from the device tree.
    luxadm -e forcelip /devices/pci@1d,700000/SUNW,qlc@1,1/fp@0,0:devctl
  4. To remove the device from the cfgadm database, run the following commands on the HBA:
    cfgadm -c unconfigure -o unusable_SCSI_LUN c2::5006048acafe4a73
cfgadm -c unconfigure -o unusable_SCSI_LUN c3::5006048acafe4a7c
  5. Repeat step 2 to verify that the LUNs have been removed.
  6. Clean up the device tree. The following command removes the /dev/rdsk... links to /devices.
    $devfsadm -Cv
Posted by at No comments:

Publish WAS logs on Web Server

Alias /waslogs /opt/IBM/WebSphere/AppServer/profiles/UATAppNode1/logs/UATAppServer1
<Directory "/opt/IBM/WebSphere/AppServer/profiles/UATAppNode1/logs/UATAppServer1">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
Posted by at No comments:
Subscribe to: Posts (Atom)