Tuesday, December 2, 2014

Configure soap.client.props (When you have console secured)

Once you have secured the console each time you need stop a websphere server by command line, you will need an administrator user and password, configuring the service user in the soap.client.props file is the idea of this laboratory, this activities need to be done by windows administrators, you should know why.

The idea is that you can stop any java server without password

In order to it work, you must set properties in the soap.client.props file. 
Perform the following procedure:
1. Set the following properties in soap.client.props:
com.ibm.SOAP.securityEnabled=true
com.ibm.SOAP.loginUserid=<user_ID>
com.ibm.SOAP.loginPassword=<password>

2. Run one of the following commands to encrypt the password:
Windows:
PropFilePasswordEncoder.bat <path>\soap.client.props com.ibm.SOAP.loginPassword
UNIX or Linux:
<path>/PropFilePasswordEncoder.sh soap.client.props com.ibm.SOAP.loginPassword

in my case:
#cd /opt/IBM/WebSphere/AppServer8.5/profiles/Dmgr_Prod/properties
#cp soap.client.props soap.client.props.bk
#vi  soap.client.props
com.ibm.SOAP.securityEnabled=true
com.ibm.SOAP.loginUserid=wasadmin
com.ibm.SOAP.loginPassword=Wasadmin

SAVE the file
# ../bin/PropFilePasswordEncoder.sh soap.client.props com.ibm.SOAP.loginPassword


Now you can stop any websphere process using command line

NOTE:
As you can see, you no need to know what is the wasadmin password, only your Windows Administrator, this password should not expire because all user need to login to websphere will be authenticated by this user, that is the reason why it should not be used like infraestructure administrator.

Ahhh and copy  the configured soap.client.props to all yours managed nodes!!!!
Posted by at No comments:
Labels:

Securing WebSphere Console - WAS 8.5

In this lab, we will secure the WebSphere console using Windows Active Directory, it is very easy and it let the security responsibilities to Windows Administrators

Steps
1.- Create a Service user in Windows to authenticate the others users
2.- Use the Security Wizzard
3.- Stop and Start WebSphere
4.- Done

1.- Create a Service user in Windows to authenticate the others users

Now you can check with your WebSphere box (or any other box) that you can access the directory with that user, please use only wasadmin as the name of this user, and for example Wasadmin as their password.
If ldapbrowser can search into Active Directory, WebSphere will do it too

2.- Use the Security Wizzard









3.- Stop and Start WebSphere
Now you must stop and start all your infraestructure, in my case I have 3 servers: ND, nodeagent and server1
When you start all again, just F5 into your browser


as you will see, the console will be redirected to a SSL comunication


Do what you need to do to accept the certificate


Now you must login into the console with the service user, in this case wasadmin


Congrats!!! now you must add one admin user to the console, you should no use the service user to adminstrate your was infraestructure.


again, go to Security -> Global security -> Administrative user roles 


You are now into "Administrative user role" you must see here our service user account


Let's go to add a New administrator user, please click into Add... 


in my case, I will add to myself,  then I write H* and click into Search


Then you must pass the user to the right side and select the appropriate role


Click Ok and save


Now you must logout and login with your new administrative user


Congrats, you have a new administrative user account into your infrastructure


Posted by at No comments:
Labels:

Install IBM WebSphere Application Server 8.5.5 ND

In this part you will learn howto Install IBM WebSphere Application Server 8.5.5 ND in RHEL 6.3, but with this knowledge you can install it over others Linux, Unix or Windows. Please be free to give me any question.


Sure you will install WebSphere 8.5 by first time in a Linux environment,  if this is the case then you will need to run a step 0, its ets, prepare the linux enviroment


1.- Prepare linux enviroment
2.- Install Agent Installer 1.7 (IBM IM) 
3.- Install WebSphere Application Server 8.5.5 ND binaries
4.- Install IHS 8.5
5.- Start IHS 8.5
6.- Configure WAS ND 8.5.5
7.- Install Plugin
8.- Configure Plugin
9.- Configure SSL


1.- Prepare linux enviroment

# yum install compat-libstdc++-296.i686 compat-libstdc++-33.i686
# yum install compat-libstdc++-33.x86_64
# yum install gtk2.i686 libXtst.i686

NOTE: My last install was over RHEL 6.4 and I use the IM 1.7 64 bits, I did not need the enviroment prepartation because the IM runs great!!! but you will need to run the WebSphere Customization Toolbox (WPT) you will need to install 32 bits libraries.
Maybe you need to disble SELinux too by temporarily switch off enforcement, if that is your case just run this:

echo 0 >/selinux/enforce


2.- Install Agent Installer 1.7 (IBM IM)

For this step you will need the file agent.installer.linux.gtk.x86_64_1.7.1000.20131119_2219.zip 

# unzip agent.installer.linux.gtk.x86_64_1.7.1000.20131119_2219.zip



all will be unzipped here, see next picture, then you only must run the installer

# ./install












 

3.- Install WebSphere Application Server 8.5.5 ND binaries

 You will need to download this files:
  • was.repo.8550.ihs.ilan_part1.zip
  • was.repo.8550.ihs.ilan_part2.zip
  • was.repo.8550.ndtrial_part1.zip
  • was.repo.8550.ndtrial_part2.zip
  • was.repo.8550.ndtrial_part3.zip
  • was.repo.8550.plg.ilan_part1.zip
  • was.repo.8550.plg.ilan_part2.zip
  • was.repo.8550.wct.ilan_part1.zip
  • was.repo.8550.wct.ilan_part2.zip
You can download binaries from http://www-03.ibm.com/software/products/en/appserv-wasnd/ 

Now you must create next folder system to spread the repo
# mkdir -p /opt/IBM/repositories/was.repo.8550/ihs
# mkdir -p /opt/IBM/repositories/was.repo.8550/nd
# mkdir -p /opt/IBM/repositories/was.repo.8550/plg
# mkdir -p /opt/IBM/repositories/was.repo.8550/wct


and put into /opt/IBM/repositories/was.repo.8550/ihs
was.repo.8550.ihs.ilan_part1.zip
was.repo.8550.ihs.ilan_part2.zip
 
into  /opt/IBM/repositories/was.repo.8550/nd
was.repo.8550.ndtrial_part1.zip
was.repo.8550.ndtrial_part2.zip
was.repo.8550.ndtrial_part3.zip
 
into  /opt/IBM/repositories/was.repo.8550/plg
was.repo.8550.plg.ilan_part1.zip
was.repo.8550.plg.ilan_part2.zip
 
and into  /opt/IBM/repositories/was.repo.8550/wct
was.repo.8550.wct.ilan_part1.zip
was.repo.8550.wct.ilan_part2.zip
 
unzip all files and erase zip files in case you need filesystem space
Next you can configure the ND 8.5.5 repository into IM



Now press Install







Be careful, I always put the version to AppServer folder, in this case is AppServer8.5



I Select JDK 64 bits




Do not create any profile here, we will create all in other moment


4.- Install IHS 8.5

Add the IHS 8.5.5 repository


Press OK

Now press install, select IHS...




As I have different IHS versions,  I use the number of version, in this case HTTPServer8.5



select Http Port





congrats!!!!

5.- Start IHS 8.5

# cd /opt/IBM/HTTPServer8.5/bin/
# ./apachectl start




Now open it in your web browser

http://rhel63



6.- Configure WAS ND 8.5.5


Let's to create the dmgr profile

# cd /opt/IBM/WebSphere/AppServer8.5/bin
# ./manageprofiles.sh -create -profileName Dmgr_Prod -templatePath /opt/IBM/WebSphere/AppServer8.5/profileTemplates/dmgr -nodeName Prod_ENV -cellName Prod -hostName rhel63


Let's to create the Servers profile

 # ./manageprofiles.sh -create -profileName Servers -templatePath /opt/IBM/WebSphere/AppServer8.5/profileTemplates/default -nodeName Germany -cellName Europa -hostName rhel63


Let's start the DMgr profile

# cd /opt/IBM/WebSphere/AppServer8.5/profiles/Dmgr_Prod/bin/
# ./startManager.sh
  




Let's start the server1 in Servers profile

# cd /opt/IBM/WebSphere/AppServer8.5/profiles/Servers/bin
# ./startServer.sh server1


check the port for open the admin console, by default the first WebSphere server take 9060 port, next server will take 9061, you can check the ports with this command:

# netstat -an | grep LISTEN | grep tcp | grep 906




9060 is dmgr and 9061 is server1, at this point you must understand that server1 is in a no management node, the idea is add this node to a dmgr node




 as you can see, there is not any server in dmgr...yet



open server1 console too and find soap port



go to
Servers  -> Server Types -> WebSphere application servers 

select server1, look for ports in right panel of server1



 in this case the SOAP port is 8880

Now logout and return to console in 9060 port, the DMgr Console


Now let's go to federate server1 from Servers profile, this process will create a new server called "nodeagent" who will be responsible to management all administration process and comunication between DMgr and all servers in this Node

Go to
System administration -> Nodes


 press Add Node


In next screen in Node Conection Part put the name of your server (it must be defined before in /etc/hosts file), the SOAP port, that in this case is 8880 AND select in Options Include applications and Include buses






SORRY!! some messages are in spanish...

now you can see the new node..in this case Germany


start server1 using this console
go to
Servers  -> Server Types -> WebSphere application servers



check apps
go to
Applications  -> All applications



check http port
# netstat -an | grep LISTEN | grep tcp | grep 908


Open in a web browser  the sample app

http://rhel63:9080/snoop

 

7.- Install Plugin

in the IM goto File -> Preferences... -> Add Repository...



Press Ok and Now just install the Plugin












8.- Configure Plugin

In order to configure the plugin we need to install the "WebSphere Customization Toolbox", it is the easier way to do it



Press Ok and just install the "WebSphere Customization Toolbox (ILAN)"











once finish the toolbox install you can starting by the IM at finished or by the menu of Operative System, as you wish


You can see the option at next picture







On Add Web Server Plug-in Location, complete these fields:
Name:Prod_Local_WebServer
Location:path to your Plugin install



Now you should see something like this


now you will create the properties for your webserver


select you webserver type


64 bits


be careful with your IHS Choice...I said that cose in my case I have differents IHS install


I used here:
user ID:     wasadmin
Password: Wasadmin


user ID:     wasadmin
Group  :     wasadmin
NOTE: why this is important? because this user/password is used to administrate webserver, specialty the remote webservers 


WebServer Name (must be unique): ProdLocalWebServer


Choose local install and the folder of your ND 8.5 install


Will appear the name of your Dmgr






Ready, now we must run the Configure script

# cd /opt/IBM/WebSphere/Plugins8.5/bin/
# ls

you will need to copy the configureProdLocalWebServer.sh script


cd /opt/IBM/WebSphere/AppServer8.5/profiles/Dmgr_Prod/bin
cp /opt/IBM/WebSphere/Plugins8.5/bin/configureProdLocalWebServer.sh . 


now we just run this script, he will make all the magic things for you...

# ./configureProdLocalWebServer.sh





Congrats!!!
now open admin console and check the new web server definition
go to
Servers - > All servers 


You can test the snoop app using IHS, you will see that plugin is not prepared


here you could ask why the plugin does not work? the answer is that you need to update plugin.xml into webserver in order it works..then you must do it...update it

go to
Servers - > web servers


1.- mark ProdLocalWebServer server and press Generate plug-in


2.- mark ProdLocalWebServer server and press Propagate plugin



3.-  mark ProdLocalWebServer server and press Stop



4.- mark ProdLocalWebServer server and press Start




Now go to Snoop App browser tab and press F5 to refresh and voilà!!!


9.- Configure SSL


To configure SSL we will use this doc, "Enabling SSL in the IBM HTTP Server configuration" but adapted to this situation, then:
1.- vi /opt/IBM/HTTPServer8.5/conf/httpd.conf
add all content between ###BEGIN to ###END just above the line containing "LoadModule was_ap22_module /opt/IBM/WebSphere/Plugins8.5/bin/64bits/mod_was_ap22_http.so"

check next picture

 



save and close
2.- # mkdir /opt/IBM/HTTPServer8.5/ssl
Now in graphical env run next commands
# cd /opt/IBM/HTTPServer8.5/bin



You must create the key.kdb into /opt/IBM/HTTPServer8.5/ssl folder



put the password and be sure to mark Stash the password to a file


Next press New Seft Signed


fill all info



now you can close the ikeyman

Restart the IHS in order to start SSL port
3.- # ./apachectl restart
# netstat -an | grep 443

Now we can check it in any web browser




SSL is configured...very easy right?

New let's check if snoop app can open on SSL



Finished!!!

Posted by at 2 comments:
Labels:
Subscribe to: Posts (Atom)