http://www.wikio.fr WebSphere And Tivoli Tricks

Wednesday, April 20, 2011

WebSphere Self-signed certificates

WebSphere v6.1 automatically replaces expiring self-signed certificates by default. If dates are put forward on a server for testing purposes the certificates will be regenerated and expiring certificates and signers will be deleted. This can be turned off by going to: Sercurity > SSL certificate and key management > Manage certificate expiration and un-ticking the appropriate options.
If the certificates become invalid you may receive one of the following exceptions:
CWPKI0311E: The certificate with subject {0} has a start date {1} 
which is valid after the current date/time.  This will can happen 
if the client's clock is set earlier than the server's clock. 
Please verify the clocks are in sync between this client and server 
and retry the request.
or
Exception stack trace: javax.naming.NamingException: Error during 
resolve [Root exception is org.omg.CORBA.COMM_FAILURE: 
CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E: 
javax.net.ssl.SSLHandshakeException - The client and server could 
not negotiate the desired level of security.  Reason: com.ibm.jsse2
.util.h: No trusted certificate found  vmcid: 0x49421000  minor code: 70 
completed: No]
In order to increase the lifetime of the certificates and resolve the issue the following steps were taken:
  1. locate the key.p12 and trust.p12 files under the dmgr profile ie: 
    <profile_root>\config\cells\<cellname>\key.p12
  2. Open the key.p12 file with the IKEYMAN tool (\bin\ikeyman.bat). You must select PKCS12 from the key database type drop down in order to open the file.
  3. The defualt password for websphere application server certificate stores is: WebAS?
  4. Select Personal Certificates from the key database content area drop down
  5. Delete the existing default certificate
  6. Create a new self signed certificate with the following details: 
    Key Label: default
   Version X509 V3
   Key Size: 1024
   Common Name: <fullyQualifiedHostname>
   Organization: IBM
   Country or region:US
   ValidityPeriod: 3650 (We selected 10 years for the length of the certificate)
  7. Extract the certificate you just created with the following settings: 
    Data Type: Base64-encoded ASCII data
   Certificate file name: newDefault.arm
   Location: D:\temp\
  8. Open the \config\cells\\trust.p12 file
  9. Again the password is WebAS?
  10. In the Key Database Content area select signer certificates from the large drop down.
  11. Delete any existing default or default_x certificates
  12. Click Add and browse to the extracted certificate from the key.p12 file, D:\temp\newDefault.arm
  13. Enter a label of default
  14. close the IBM Key Management tool
  15. Copy the Key.p12 and trust.p12 file to the following locations: 
    Deployment Manager:
   <profilehome_dmgr>\config\cells\<cellname>\nodes\<nodename>
    All nodes:
    <profilehome_nodex>\config\cells\<cellname>
   <profilehome_dmgr>\config\cells\<cellname>\nodes\<nodename>
  16. Restart the DMGR all nodeagents and servers
Publié par neo à l'adresse 7:04 AM 1 commentaires

Tuesday, April 19, 2011

Create a Highly Available Dispatcher

NOTE: Before beginning,  configure the two load balancers (LB) exactly the same in order to allow failover and continued service.
From the Primary Load Balancer gui (Start > Program Files > IBM WebSphere > Edge Components > Load Balancer for IPv6 > Load Balancer for IPv6 ):
  1. Right click on the Dispatcher and click Connect to host…
  2. Connect to the :10099
  3. Right click on the High Availability icon and select Add Heartbeat…
  4. Leave the local machine’s IP addres in the first textbox and enter the secondary LB’s IP address in the second and click OK.
  5. Right click on the High Availability icon and select Add High Availability Backup….
  6. Set the role as Primary, the IP of the secondary server and the port number 10099.
  7. Repeat the same process for the secondary LB except select Backup for the servers role.
  8. Once complete click the refresh statistics button and confirm the state changes to: Synchronized .
  9. Once the process is complete it is important to edit the goActive and goStandby scripts.
    1. These files can be found in the <edge_home>/lb/servers/samples directory.
    2. Follow the instructions within each script file, editing the set CLUSTER,INTERFACE and NETMASK values.
    3. Copy both scripts into the lb bin directory at: <edge_home>/lb/servers/bin/
    4. ensure that you remove the .sample after the filename so they read goActive.bat and goStandby.bat
If you wish to test your configuration. Disable the network addapter on the primary LB and watch the secondary change into active state. Did your service remain available?
Publié par neo à l'adresse 2:57 PM 0 commentaires

How to: Easily setup WebSphere Edge Components Load Balancer for webservers

Dispatcher provides the ability to spray requests between multiple servers. In the WebSphere Stack it allows load balancing between multiple webservers which in turn can relay requests to multiple application servers. They provide high availability and scalability. These instructions dictate how to setup a configuration similar to the following image:
Load Balancer Diagram: not so complicated!
From the follow article in the WebSphere Infocenter http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.edge.doc/welcome.html
To set up a simple IP spraying with WebSphere Edge Components Dispatcher 6.1 on Windows 2003 Server, follow these instructions:
  1. Install the Dispatcher from the WebSphere Edge Components CD or archive file  (From experience: don’t install the first release 6.1.0.0. IBM is up to release 6.1.042 at time of writing. NOTE: You will need the .lic. licence, file from the original install)
  2. Once installed (simple point and next scenario) open the Start > IBM WebSphere > Edge Components > Load Balancer > Load Balancer.
  3. Expand the Load Balancer in the tree hierarchy.
  4. Right click on the Dispatcher and select Start Configuration Wizard.
  5. Click Next on the Dispatcher Configuration Wizard welcome screen.
  6. Click Next again on the What to expect… page
  7. Read the What Must I Do Before I Begin List and confirm access from the Load Balancer to the webservers on the desired ports (IE. https (443) / http (80) to hostname:port)
  8. Click Create Configuration.
  9. Select the host you wish to configure (the default is the local machine’s hostname on port 10099) and click Update configuration and Continue
  10. Enter the desired domain to balance and Click Update configuration and Continue.
  11. The wizard will confirm the cluster has been added, click next.
  12. Enter the desired port number (IE: 443 for https 80 for http)
  13. The wizard will confirm the port has been added, click next.
  14. Add the IP address of the desired servers to be load balanced (your webservers).
  15. Once all the servers in the cluster have been added click next
  16. Leave the default of Yes for the advisor creation and add a name (IE: HTTPS)
  17. Open the loop back instructions for Windows 2000/2003
  18. On each of the webservers being balanced (NOT the load balancer itself!) follow these instructions:
    1. Open the control panel and click Add Hardware Wizard
    2. Click next on the Welcome screen
    3. Let the wizard search for new hardware
    4. On the Is the hardware connected? screen select the Yes radio button.
    5. At the bottom of the installed hardware list select Add a new hardware device and click next
    6. Select Install the hardware that i manually select from a list.
    7. Select Netword adapters
    8. Select Microsoft and the Microsoft Loopback Adapter
    9. Click next to install the adapter.
    10. click finish when complete.
    11. Open Network Connections and right click on the new Microsoft Loopback Adapter and select properties
    12. Select Internet Protocol (TCP/IP) and click Properties
    13. Select Use the following IP address and enter the IP address for the cluster, the proper subnet mask for the server and leave the default gateway empty.
    14. Enter the loop back address for the Preferred DNS server (IE: 127.0.0.1) and leave the alternate empty.
    15. Click OK and OK again.
    16. Repeat on all web servers in the cluster.
  19. Click Exit at the end of the Wizard
  20. Save the configuration (no spaces in the name) and restart the IBM Dispatcher service. (run > services.msc)
Want an highly available load balancer? Configuring high availability for IBM Load Balancer
Publié par neo à l'adresse 2:50 PM 0 commentaires
Subscribe to: Posts (Atom)