Using Jython to Change WebSphere Cell Names

Posted: 4th May 2011 by admin in WebSphere

Interactive mode running from the dmgr profile of the cell you wish to change:

1. from the ../profiles/dmgr/bin dir

wsadmin.sh -lang jython -conntype none

2. AdminTask.renameCell( ‘[-newCellName <cell name> -regenCerts true -nodeName <new dmgr name> -hostName <hostname>]‘ )

3. Repeat for each node, dmgr, and other

AdminTask.renameNode( ‘[-nodeName <old node name> -newNodeName <new node name>]‘ )

3. AdminConfig.save( )

This changes all the references in all xml files in the config directory.

One note, though:  if you’re changing an ND environment, you need to run the renameCell on both the Deployment Manager and nodeagent instances, then start the Deployment Manager. Once it’s running, run syncNode before starting the nodeagent.

To get list of servers in cell:

wsadmin>servers = AdminConfig.listServers(‘Server’)

print servers

*note this includes the dmgr and nodeagent

To get just the application servers:

servers = AdminTask.listServers( ‘-serverType APPLICATION_SERVER’ )

print servers

The Value of the Plugin Trace in WebSphere

Posted: 4th May 2011 by admin in WebSphere

The plugin log is an important tool if end-users are not getting in to the application after they hit the web server sitting in front of WebSphere. The the plugin trace allows the administrator to watch the logs and see the users hist the WebSphere server. When you do a plugin trace, monitor the access and plugin logs at the same time and look for matching timestamps.

Note, the port forwarded to WAS from the web server must match a valid WAS virtual-host, if not, then a intermediary load balancer is most likely the issue.

In the plugin-cfg.xml, set the log level and then restart the associated web server.

<?xml version=”1.0″?>

<Config ASDisableNagle=”false” IISDisableNagle=”false”

IgnoreDNSFailures=”false” RefreshInterval=”60″

ResponseChunkSize=”64″ AcceptAllContent=”false”

IISPluginPriority=”High” FIPSEnable=”false”

AppServerPortPreference=”HostHeader” VHostMatchingCompat=”false”

ChunkedResponse=”false”>

<Log LogLevel=”Trace” Name=”/<path to plugin logs>/http_plugin.log”/>

Using lsof on Unix Hosts to Find WebSphere

Posted: 4th May 2011 by admin in WebSphere

On UNIX hosts, lsof can assist one in easily locating WebSphere log files and their associated process ID’s.

$ <path to lsof>/lsof | egrep “native|System” | grep log

The “| grep log” on the end ensures that you get the log files only and not any other files or libraries. This command also supplies the process ID (PID) Then one can then see what PID is tied to the dmgr, nodeagent, etc

If you wish to include the translogs:

$ <path to lsof>/lsof | egrep “native|System|trans” | grep log

To get the IHS logs and PIDs:

$ <path to lsof>/lsof | grep -i logs | egrep “access|error|plugin”

WebSphere UMASK Settings – Why Do You Care?

Posted: 26th April 2011 by admin in WebSphere

In a WebSphere cell where all application servers ‘runas’ id’s are all the same (user and group), the default umask setting in the process execution of an application server is not much of a concern.  However, what if you have a single cell with multiple application servers with different runas id’s?  This is where the wrong umask can bite you.

The default umask for application servers is 022.  This translates to 755 perms on the directory and 644 perms on the files.  The issue this causes is that a runas id can change the shared config directory for the node to where only the owner can write to it and all others just have read and execute, even those in the same group.  This creates a situation where other application servers under other user ids will not start as their tmp files cannot be written to the shared config directory on the node.  Your logs will have entries such as this:

ADMR0104E: The system is unable to read document cells node-metadata.properties: java.io.IOException: Permission denied

Provided all the runas id’s are in the same group, the solution is to change all umasks per server execution to 002.  This changes the permissions on the shared node config files to 775 for the directory and 664 for the files.  Thus, other application servers running under user ids within the same group have the required access to the node configs and can therefore start properly.

Automatically Capturing Thread Dumps in WebSphere

Posted: 26th April 2011 by admin in WebSphere

WebSphere has a nice feature that automatically allows one to capture thread dumps the moment that a hung thread is detected.  Below is the IBM doc that describes how to enable it.

http://www-01.ibm.com/support/docview.wss?uid=swg21448581

Basically, it is a custom property within the server infrasture that can be enabled.

Name = com.ibm.websphere.threadmonitor.dump.java

Value = true

IntroScope with WebSphere on AIX

Posted: 26th April 2011 by admin in WebSphere

I ran into the following error while trying to configure IntroScope with WebSphere on AIX.

“Unable to determine the identity of the JVM: Unable to locate the java.lang.ClassLoader classfile”

The issue is the vm.jar for AIX  when using IBM java is located in a different path from where it is stashed on solaris/linux.  Therefore, the following is the work around.

Instrumentation Command:

<websphere path>/java/bin/java -Dcom.wily.autoprobe.prependToJVMRuntimePath=<websphere path>/java/jre/lib/ppc64/default/jclSC160/vm.jar -jar <introscope path>/connectors/CreateAutoProbeConnector.jar -jvm <websphere path>/java

JVM  Generic Arguments for websphere application servers on AIX:

(load order is Agent.jar, vm.jar, and profile)

-Xbootclasspath/p:<introscope path>/connectors/AutoProbeConnector.jar::<introscope path>/Agent.jar

-Dcom.wily.autoprobe.prependToJVMRuntimePath=<websphere path>/java/jre/lib/ppc64/default/jclSC160/vm.jar

-Dcom.wily.introscope.agentProfile=<introscope path>/IntroscopeAgent.profile

Error Condition:

SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Refer to the InfoCenter for further information.

Permission:

AdminPermission : Access denied (com.ibm.websphere.security.WebSphereRuntimePermission AdminPermission)

This is because java2 security is enabled. Java2 prevents access to file system resources.

JVM will not Start OR Log

Indicative of banged up JVM generic args… in this case if you are using a an AutoProbeConnector.jar from another host.. DON’T. Instrument each host seperately. I have seen the ‘same java in the same type of config’ produce different cksums.

The Cool Thing About Javacore Files on AIX

Posted: 26th April 2011 by admin in WebSphere

When one takes a thread dump of WebSphere on AIX using the IBM supplied java, the javacore file not only contains the thread information but heap information as well.  Below is an example of what that looks like.  One may easily convert the hex to decimal and see what memory usage looked like at the time of the snapshot.

0SECTION ST subcomponent dump routine

NULL ============================

1STGCMODES Resettable GC: No

1STGCMODES Concurrent GC: No

1STCURHBASE Current Heap Base: 0x7000000000001F8

1STCURHLIM Current Heap Limit: 0x700000003FFFBF8

1STMWHBASE Middleware Heap Base: 0x7000000000001F8

1STMWHLIM Middleware Heap Limit: 0x700000003FFFBF8

1STGCHELPERS Number of GC Helper Threads: 15

1STJVMOPTS -Xconcurrentlevel: 0

1STJVMOPTS -Xconcurrentbackground: 0

1STGCCTR GC Counter: 486059

1STAFCTR AF Counter: 486058

1STHEAPFREE Bytes of Heap Space Free: 1a63278

1STHEAPALLOC Bytes of Heap Space Allocated: 3fffa00

Quickly Creating a Functional WebSphere v7.0 Cell

Posted: 26th April 2011 by admin in WebSphere

With WebSphere v7, one can create a cell with a federated node in one step if using the “Cell” profile.  Using  a response file similar to that below, one will end up with a functional WebSphere cell.

-OPT silentInstallLicenseAcceptance=”true”

-OPT disableOSPrereqChecking=”true”

-OPT installType=”installNew”

-OPT profileType=”cell”

-OPT feature=”noFeature”

-OPT PROF_enableAdminSecurity=”false”

-OPT PROF_adminUserName=

-OPT PROF_adminPassword=

-OPT installLocation=”<desired installation path>”

-OPT traceFormat=ALL

-OPT PROF_dmgrProfileName=<dmgr name e.g. ‘dmgr’>

-OPT PROF_appServerProfileName=<node name e.g. ‘node1′>

-OPT PROF_hostName=<physical host name>

-OPT PROF_nodeName=<dmgr name e.g. ‘test-manager’>

-OPT PROF_appServerNodeName=<node name e.g. ‘test-node1′>

-OPT PROF_cellName=<cell name e.g. ‘test’>

-OPT PROF_webServerType=<IHS, Apache, etc>

-OPT PROF_webServerName=<web server name>

-OPT PROF_webServerHostname=<physical host name>

-OPT PROF_portsFile=<path to dmgr ports def file>

-OPT PROF_nodePortsFile<path to node ports def file>

-OPT PROF_validatePorts=”true”

The  -OPT feature=”noFeature” will create the new node without the sample apps deployed.

The ‘ports def’ files are separate files for the deployment mananger and the node.  Examples:

dmgr file contents:

WC_adminhost=

WC_adminhost_secure=

BOOTSTRAP_ADDRESS=

SOAP_CONNECTOR_ADDRESS=

IPC_CONNECTOR_ADDRESS=29632

SAS_SSL_SERVERAUTH_LISTENER_ADDRESS=

CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS=

CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS=

ORB_LISTENER_ADDRESS=

CELL_DISCOVERY_ADDRESS=

DCS_UNICAST_ADDRESS=

Node file contents:

BOOTSTRAP_ADDRESS=

SOAP_CONNECTOR_ADDRESS=

SAS_SSL_SERVERAUTH_LISTENER_ADDRESS=

CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS=

CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS=

ORB_LISTENER_ADDRESS=

NODE_DISCOVERY_ADDRESS=

NODE_IPV6_MULTICAST_DISCOVERY_ADDRESS=

NODE_MULTICAST_DISCOVERY_ADDRESS=

DCS_UNICAST_ADDRESS=

To execute the installation:

<path to WebSphere installer>/install -options <path to response file> -silent

After the install, install the UpdateInstaller for WebSphere and patch to desired levels.

Below is a link that describes the cutomizable attributes available to a responsefile when used in silent installations.

http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.installation.nd.doc/info/ae/ae/rins_customize_responsefile.html

WebSphere Password Management

Posted: 14th April 2011 by admin in WebSphere

The following scripts can be used in WebSphere v6.1 and v7.0 to recover lost encoded passwords stored within your WebSphere configuration.  Set WAS_HOME in the script (or pass it in via argument) and pass the {xor} password in via argument as well.

############ WEBSPHERE 6 ####################################################

WAS_HOME=

password=$1

cd ${WAS_HOME}/deploytool/itp/plugins/com.ibm.websphere.v61_6.1.200

${WAS_HOME}/java/bin/java -cp ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder ${password}

#—————————————————————————–

############ WEBSPHERE 7 ####################################################

WAS_HOME =

password=$1

${WAS_HOME}/java/bin/java -Djava.ext.dirs=${WAS_HOME}/deploytool/itp/plugins/com.ibm.websphere.v7_7.0.1.v20090422_1423/wasJars -cp securityimpl.jar

com.ibm.ws.security.util.PasswordDecoder ${password}

#—————————————————————————–

For all things that can be done in the console, there is a scripting interface for the same functionality.   Specifically, configuration settings in the console can be done programatically, (as can deployments or any other Operator’s functions).    So, what objects are available when looking to programatically configure your WebSphere cell?  To get a list of these  objects, do the following:

1.  <websphere deployment manager home>/bin/wsadmin.sh -lang jython

2.  At the wsadmin prompt, type the following:   print AdminConfig.types()

The output of the command above will give you a list of all available configuration objects.

To get the attributes of the desired object, use the print attributes command.  For example, if I wanted to get the attributes of the ‘Server’ object from the output of the AdminConfig.types() command above:

1.  print AdminConfig.attributes(‘Server’)

This command will list the available attributes of the server object.