IBM WebSphere Application Server How To

  1. In WAS ISC, go to Configure security, pick standalone LDAP. Use itimsa as the admin user name. You might need to add itimsa into the admin group
  2. Type: AD
  3. host: deluxe.com
  4. port: 386 (?)
  5. Base DN: dc=company, dc=com
  6. Bind DN - CN=Adlookup,OU=ServiceAccounts....
  7. Bind password
  8. Remove space from itim manager's UID:
ldapmodify -h localhost -p 38910 -D cn=root -w '?' –v -i ./fix-admin-users.ldif 
ldapadd -h localhost -p 38910 -D cn=root -w '?' -v -i add-itimsa-users.ldif

  1. In WAS ISC, Apps > ITIM > Security role to user/group mappings > map itimsa user to ITIM_SYSTEM
  2. In Administrative group roles Search for all ITIM users in AD and give them WAS "configurator" role
Configure WAS SSO

  1. In WAS ISC, Global security > SSO enable sso, require SSL, deluxe.com domain name, check "web inbound security attribute propagation"
Deploy snoop default application on a new server

In WAS console: applications/all applications-> click on defaultapplication-> manage modules, select the cluster/server, select both modules and click apply
Wait a minute for the nodes to synchronize. Now back to applications/all applications, select defaultapplication, click submit action

Remove authentication requirement from the snoop application

In WAS console: applications/all applications-> click on defaultapplication-> security role to user/group mapping, select all role and from map special subjects select everyone, apply and restart the application

Change externally facing SSL certificates

https://www.ibm.com/support/knowledgecenter/en/SS7JFU_8.5.5/com.ibm.websphere.express.doc/ae/tsec_securecomm.html

Open ports for the deployment manager

firewall-cmd --zone=public --add-port=9060/tcp --add-port=9043/tcp --add-port=9809/tcp --add-port=7277/tcp --add-port=9402/tcp --add-port=9403/tcp --add-port=9352/tcp --add-port=9632/tcp --add-port=9100/tcp --add-port=9401/tcp --add-port=8879/tcp --add-port=5555/tcp --add-port=7060/tcp --add-port=11005/tcp --add-port=11006/tcp --add-port=9420/tcp

Open ports for the node agent

firewall-cmd --zone=public --add-port=2810/tcp --add-port=9201/tcp --add-port=9202/tcp --add-port=9354/tcp --add-port=9626/tcp --add-port=7272/tcp --add-port=5001/tcp --add-port=5000/tcp --add-port=9900/tcp --add-port=9901/tcp --add-port=8878/tcp --add-port=7061/tcp --add-port=11001/tcp --add-port=11002/tcp

Open ports for the app server

firewall-cmd --zone=public --add-port=9080/tcp --add-port=9443/tcp --add-port=2809/tcp --add-port=9405/tcp --add-port=9406/tcp --add-port=9353/tcp --add-port=9633/tcp --add-port=5558/tcp --add-port=5578/tcp --add-port=9100/tcp --add-port=9404/tcp --add-port=7276/tcp --add-port=7286/tcp --add-port=5060/tcp --add-port=5061/tcp --add-port=8880/tcp --add-port=11003/tcp --add-port=11004/tcp

All port numbers of https://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.migration.nd.iseries.doc/ae/rmig_portnumber.html

Create a deployment manager with a command line


/opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -create -hostName $(hostname) -profileName Dmgr01 -adminUserName wsadmin -adminPassword $WSADMINPASS -enableAdminSecurity true -nodeName $(hostname)CellManager01 -cellName $(hostname)Cell01 -serverType DEPLOYMENT_MANAGER -profilePath /opt/IBM/WebSphere/AppServer/profiles/Dmgr01 -templatePath /opt/IBM/WebSphere/AppServer/profileTemplates/management

Create a custom (empty) node with a command line


/opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -create -hostName $(hostname) -profileName isim01 -dmgrAdminUserName wsadmin -dmgrAdminPassword $WSADMINPASS -dmgrPort 8879 -dmgrHost localhost -nodeName $(hostname)Node02 -cellName $(hostname)Node01Cell -serverType DEPLOYMENT_MANAGER -profilePath /opt/IBM/WebSphere/AppServer/profiles/isim01 -templatePath /opt/IBM/WebSphere/AppServer/profileTemplates/managed

Renew SSL Certificates


The default issuing (signing) certificate is created for 15 years. You can use it to reissue the actual server certificates. The renewal procedure is described here.
Note: custom WAS profille creation can use the following options to specify certificate validity
-create" ,"-cellName" ,"isim1Node01Cell" ,"-nodeName" ,"isim1Node01" ,"-portsFile" ,"/opt/IBM/WebSphere/AppServer/logs/manageprofiles/1486029542753_portdef.props" ,"-personalCertDN" ,"cn=isim1,ou=isim1Node01Cell,ou=isim1Node01,o=IBM,c=US" ,"-profilePath" ,"/opt/IBM/WebSphere/AppServer/profiles/isim01" ,"-dmgrAdminUserName" ,"wsadmin" ,"-signingCertDN" ,"cn=isim1,ou=Root Certificate,ou=isim1Node01Cell,ou=isim1Node01,o=IBM,c=US" ,"-hostName" ,"isim1" ,"-profileName" ,"isim01" ,"-dmgrPort" ,"8879" ,"-dmgrAdminPassword" ,"****" ,"-personalCertValidityPeriod" ,"1" ,"-isDefault" ,"-signingCertValidityPeriod" ,"15" ,"-dmgrHost" ,"localhost" ,"-keyStorePassword" ,"****" ,"-templatePath" ,"/opt/IBM/WebSphere/AppServer/profileTemplates/managed" }</message>

Checking server status


/opt/IBM/WebSphere/AppServer/bin/serverStatus.sh -all -profileName AppSrv01 -username wasadmin -password $WASADMIN_PASS
or
/opt/IBM/WebSphere/AppServer/bin/serverStatus.sh -all -username wasadmin -password $WASADMIN_PASS

Check server version and installed components


/opt/IBM/WebSphere/AppServer/bin/versionInfo.sh

Install as a service


useradd wasdmgr
passwd wasdmgr

then run manageprofiles -create with -enableService true -serviceUserName wasdmgr -servicepassword $WSADMINPASS

Creating the WAS DM profile with GUI


/opt/IBM/WebSphere/AppServer/bin/ProfileManagement/pmt.sh
log is at \opt\IBM\WebSphere\AppServer\logs\manageprofiles\Dmgr01_create.log

How to record response file for WAS, WAS FP or any other install manager install


  1. Connect via SSH with X forwarding
  2. Run
/opt/IBM/InstallationManager/eclipse/IBMIM -record /tmp/was-fp-response-file.xml -skipInstall /tmp/imRegistry

How to update the default WebSphere Application Server listening port (cluster only)


  1. From the administrative console, click Environment > Virtual Hosts > default_host > Host Aliases.
  2. In Host Aliases, click New to create an alias.
  3. In the Host Name field, enter *, and in the Port field, enter the port number and click OK.
Note: To find the default host port, click Servers > Applications Servers > ServerName > ports. Look for the values of WC_defaulthost and WC_defaulthost_secure, where serverName is the server name of the application cluster member where IBM Security Identity Manager is deployed.
  1. Save the configuration changes.
  2. Complete a Full Synchronization of the WebSphere® Application Server nodes.

How to Install Web Server Plug-in


While not necessary you could install IHS to be a proxy in front of SIM. That function is better served by SAM

  1. start the launchpad from the WAS supplemental disk
  2. select Web Server plug-ins Installation on the left, then click Launch the installation wizard for the Web Server plug-ins on the right.
  3. On the new window uncheck everything, next, accept, next,next, select IHS, next, select WAS Machine (local), next
  4. change path to \IBM\HTTPServer\Plugins next
  5. change WAS location to \IBM\WebSphere\AppServer, next
  6. change plugin.conf location to the one on the F drive, next,next,next
  7. http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tins_webplugins_local.html

How to configure IHS and WAS integration


  1. On ITIM server
  2. Configure IHS Plugin
  3. Copy the configurewebserver1.bat script from the directory ibm\HTTPServer\Plugins\bin\ to the directory ibm\WebSphere\AppServer\profiles\AppSrv01\bin\
  4. Start cmd
  5. CD into ibm\WebSphere\AppServer\profiles\AppSrv01\bin\
  6. Run configurewebserver1.bat, enter the admin user name and password.
  7. Wait for it to complete
  8. Change WebSphere configuration for the web service
  9. Login into WAS console
  10. Click on servers -> Web servers -> webserver1, change port to 80, click ok and save
  11. If you get an error about IHS Admin username and password go back to the webserver1 page click on Remote Web server management (right hand side link). Put in IHS Admin username and password, click ok, save
  12. Test
    1. Make sure the following page comes up corectly
      1. http://isim/snoop
    2. If you get an error try going to http://isim:9082/snoop

How to list all certificates in all WebSphere certificate stores


WAS_HOME=/opt/IBM/WebSphere/AppServer
find /opt -iname *.p12 -exec bash -c "echo {}; $WAS_HOME/java/jre/bin/keytool -list -keystore {} -storepass WebAS -storetype pkcs12" \;

How to decode WAS password

Local passwords are stored in \IBM\WebSphere\AppServer\profiles\Dmgr01\config\cells\cell name\security.xml
Look for the {xor} string. Once found you can use any number of the online password decoders or run WebSphere's own decoder locally like this:

Run the following command on the server where WAS is installed. Search for the ws_runtime.jar on your system to get the correct path for your version of WAS.

java -classpath <WASHOME>/deploytool/itp/plugins/com.ibm.websphere.v61_6.1.200/ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder "<password starting with {xor}>"

For WAS 7 and BPM you might also need other libs in your CLASSPATH:

WAS_ROOT=/software/ems/bpm/WebSphere/AppServer
WAS_JARS_DIR=$WAS_ROOT/deploytool/itp/plugins/com.ibm.websphere.v7_7.0.1.v20101015_1536/wasJars
SEC_JARS=securityimpl.jar:wssec.jar:crypto.jar:bootstrap.jar:ras.jar:wsexception.jar:com.ibm.ws.emf.jar:org.eclipse.emf.ecore.jar:org.eclipse.emf.common.jar
cd $WAS_JARS_DIR
$WAS_ROOT/java/bin/java -cp $SEC_JARS com.ibm.ws.security.util.PasswordDecoder "{xor}LDo8LTor"

For encoding the password you can run the following

$WAS_ROOT/java/bin/java -cp $SEC_JARS com.ibm.ws.security.util.PasswordEncoder secret

How to enable WAS performance monitoring

Enable PMI in the administrative console.

  1. In the administrative console, click Monitoring and Tuning > Performance Monitoring Infrastructure > server_name.
  2. Verify that Enable Performance Monitoring Infrastructure (PMI) is selected. This setting is enabled by default. If the setting is not enabled, select the check box, pick the amount of the stats you want to pull (basic,extended and all) then restart the server.

You could also do it with the JACL wsadmin script:

 set s1 [$AdminConfig getid /Cell:CELL_NAME/Node:NODE_NAME/Server:APPLICATION_SERVER_NAME/]
 set pmi [$AdminConfig list PMIService $s1]
 $AdminConfig show $pmi.
 $AdminConfig modify $pmi {{enable true}}
 $AdminConfig save

If you need to enable PMI, restart the server.

Now you can use a script like this to list all active MBeans that have a stats component

perfOName = AdminControl.makeObjectName(AdminControl.completeObjectName('type=Perf,*'))
for a in AdminControl.queryNames('*').split('\n'): #type=ConnectionPool,
    try:
        config=AdminControl.invoke_jmx(perfOName, 'getConfig', [AdminControl.makeObjectName(a)], ['javax.management.ObjectName']) #com.ibm.websphere.pmi.PmiModuleConfig
        if config is not None:
            print a
    except:
        pass

How to trigger a heap dump in a running WebSphere instance

Start wsadmin on the instance. Run

set jvmname [$AdminControl queryNames WebSphere:type=JVM,process=server1,node=''SERVERNode01'',*]

Use the proper node name. You should get a reply, something like this:

WebSphere:name=JVM,process=server1,platform=proxy,node=SERVERNode01,j2eeType=JVM,J2EEServer=server1,version=7.0.0.13,type=JVM,mbeanIdentifier=JVM,cell=SERVERNode01Cell,spec=1.0

To dump threads run

$AdminControl invoke $jvmname dumpThreads

This will create a javacore.YYYMMDD.HHMMSS.mmmm.nnnnn.txt file in the profiles\AppSrv01 (root) folder. To dump the heap (memory) run

 $AdminControl invoke $jvmname generateHeapDump

It should generate a heapdump.YYYMMDD.HHMMSS.mmmm.nnnnn.phd file and report it's location back to you. It should be in the root folder as well.

How to configure permanent mapping of users/groups to roles in a webapp

In the EAR container create ibm-application-bnd.xmi with the similar contents:

<?xml version="1.0" encoding="UTF-8"?>
<applicationbnd:ApplicationBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:applicationbnd="applicationbnd.xmi" xmlns:common="common.xmi" xmlns:application="application.xmi" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmi:id="Application_ID_Bnd">
  <appName xsi:nil="true"/>
  <authorizationTable xmi:id="AuthorizationTable_1">
    <authorizations xmi:id="RoleAssignment_1">
      <specialSubjects xmi:type="applicationbnd:AllAuthenticatedUsers" xmi:id="AllAuthenticatedUsers_1" name="AllAuthenticatedUsers"/>
      <role href="META-INF/application.xml#SecurityRole_1"/>
    </authorizations>
  </authorizationTable>
  <application href="META-INF/application.xml#Application_ID"/>
  <runAsMap xmi:id="RunAsMap_1"/>
</applicationbnd:ApplicationBinding>

How to configure WebSphere to authenticate against AD

  1. Login to the WAS admin https://was.corp.dom:9043/ibm/console/ as an existing admin
  2. Click on Security -> Global security
  3. Choose standalone ldap registry in the pull down window for ‘Available realm definitions’ then click configure…
  4. Put in the following parameters:
    1. Primary administrative user name: adminid_from_AD
    2. Type of LDAP server: Microsoft Active Directory
    3. Host: primary_domain_controller.corp.dom
    4. Base dn: dc=corp,dc=dom
    5. Bind dn: cn=adminid_from_AD,ou=users,dc=corp,dc=dom
    6. Enter password
  5. Hit test to test the connect and then ok.
  6. At the top hit save.
  7. Go to Administrative group roles, hit add, change the search string to the name of the group that will be WAS admins and click add, then save.
  8. Change the “federated directories” to the “standalone ldap registry” in the “available real definitions” drop-box. Click “set as current”
  9. Check “enable application security” under Application Security
  10. Click apply and then save
  11. Reinstall the Websphere service. On the WAS Server run the following in the command prompt (correct names as appropriate):
F:\IBM\WebSphere\AppServer\bin\WASService.exe -remove ''WASNode01''
F:\IBM\WebSphere\AppServer\bin\WASService.exe -add ''WASNode01'' -servername server1 -profilepath "...\WebSphere\AppServer\profiles\AppSrv01" -configroot "...\WebSphere\AppServer\profiles\AppSrv01\config" -logroot "...\WebSphere\AppServer\profiles\AppSrv01\logs\server1" -logFile "...\WebSphere\AppServer\profiles\AppSrv01\logs\server1\''WASNode01'' Service.log" -washome "...\WebSphere\AppServer" -restart false -stopArgs "-username ''adminid_from_AD'' -password ''passwordhere'' " -starttype automatic –encodeparams

Restart WAS.

  1. First stop it and try to access it. Make sure that it can not be accessed on the admin console
    1. If it is still up, login onto the WAS server, start the command prompt and stop WebSphere using following command:
...\websphere\appserver\profiles\appsrv01\bin\stopserver.bat server1

  1. 1.
Provide proper admin credentials

Start WAS back up

  1. Verify that you can login as yourself to the WebSphere admin console

How to change session expiration

  • in WAS admin console (:9090/admin) clck applications->enterprise applications->enRole->Session Management->Session Timeout)
  • Restart enRole
  • Also you need to change the web.xmls

Session-Timeout (how long it takes for the system to take you back to the logon screen):

File             line
---------       -------------------------------------------------
web.xml:         10

  • Ok, first we need to find the correct web.xml file - and there are a number of them.

set was_home=C:\Progra~1\WebSphere
dir %was_home%\AppServer\installedApps\web.xml /b /s>one &findstr /i /c:enrole one
C:\Progra~1\WebSphere\AppServer\installedApps\appname\enRole.ear\app_web.war\WEB-INF\web.xml
C:\Progra~1\WebSphere\AppServer\installedApps\appname\enRole.ear\passwordsynch_web.war\WEB-INF\we
C:\>notepad C:\Progra~1\WebSphere\AppServer\installedApps\appname\enRole.ear\app_web.war\WEB-INF\web.xml

How to change the ports for the WebSphere Application Server - Express

The embedded version of WebSphere Application Server - Express uses four default port settings:

Http Transport (port 1): 9080
Http Transport (port 2): 9443
Bootstrap/rmi port: 2809
Soap connector port: 8880
Http Transport port 1

  • Find the line containing the port number 9080 in the following files and replace the 9080 with the port number that you want:
$WASHOME\config\cells\DefaultNode\nodes\DefaultNode\servers\server1\server.xml
$WASHOME\config\cells\DefaultNode\virtualhosts.xml
Http Transport port 2

  • Find the line containing the port number 9443 in the following files and replace the 9443 with the port number that you want:
$WASHOME\config\cells\DefaultNode\nodes\DefaultNode\servers\server1\server.xml
$WASHOME\config\cells\DefaultNode\virtualhosts.xml
* Bootstrap/rmi port

Find the line containing the port number 2809 in the following file and replace the 2809 with the port number that you want:
$WASHOME\config\cells\DefaultNode\nodes\DefaultNode\serverindex.html

  • Soap connector port

Find the line containing the port number 8880 in the following file and replace the 8880 with the port number that you want:

$WASHOME\config\cells\DefaultNode\nodes\DefaultNode\serverindex.html

How to change IP for the WebSphere Application Server - Express to listen on

Same procedure as the one for changing a port, but change "host" instead of "port". Use comma to put both short and FQDN.

How to check WAS version

/opt/IBM/WebSphere/AppServer/bin/versionInfo.sh

How to configure WAS for SSL

Environment->virutal hosts->default_host->host aliases->new

name *
port 443

  • Ok->save->save. Click update web server plug-in -> ok
  • Copy Y:\WebSphere\AppServer\config\cells\plugin-cfg.xml X:\WebSphere\AppServer\config\cells\
where y is on was server and x is on ihs server

How to configure WAS or WPS to start as a service

WASService -add server2 -servername server2 -wasHome "D:\Program Files\WebSphere\AppServer" -logfile "D:\Program Files\WebSphere\AppServer\logs\server2\startServer.log" -logRoot "D:\Program Files\WebSphere\AppServer\logs\server2" -restart true
See 1

How to delete a WAS 6.x profile

E:\WebSphere\AppServer\bin>wasprofile.bat -unaugment -profileName AppSrv01
INSTCONFSUCCESS: Profile unaugmentation succeeded.
E:\WebSphere\AppServer\bin>wasprofile.bat -delete -profileName AppSrv01
INSTCONFSUCCESS: Success: The profile no longer exists.

How to enable and Disable WAS Tracing for Security Components

It is recommended to enable this feature until you are satisfied that everything is working correctly. The page is accessed through WAS Administrative console. Go to Troubleshooting->Logs and trace. Select the server you want to trace (another way is Servers->Application Servers. Select the server you want to trace. Click on Logging and Tracing Properties). Click on Diagnostic Trace Service In the Trace Specification text box change to:
com.ibm.ws.security.*=all=enabled
Or
*=all=disabled
Click Apply for the changes to take affect. The trace.log file will appear in the log/<server name> directory under the WAS installation path.

How to get a dump of the hung threads in WAS

goto WAS_HOME\bin run wsadmin Type:
$AdminControl invoke [$AdminControl completeObjectName type=JVM,process=MY_JVM_NAME_HERE,*] dumpThreads

How to restart WAS (App Server)

when bouncing WAS service does not work
D:\WebSphere\AppServer\bin\stopServer server1 -username wpsbind -password ****
For starting the server you do not need to specify the user credentials
D:\WebSphere\AppServer\bin\startServer server1

How to update a WebSphere IHS plugin

WebSphere\AppServer\bin\GenPluginCfg.sh
or through WAS admin console -> Environment -> Update WebServerPlugin Then physically move the file on the IHS server
copy Y:\WebSphere\AppServer\config\cells\plugin-cfg.xml X:\WebSphere\AppServer\config\cells\

How to version verification command for WAS6 and WAS5.1

  • WAS6.0:
bin\versionInfo.bat -maintenancePackages
  • WAS5.1:
bin\versionInfo.bat -fixes

How to clear WAS JSP or JIT compiler cache

Helpful in situations like this one:

Error 404: SRVE0202E: Servlet [/jsp/logon/LogonLayout.jsp]: org.apache.jsp._LogonLayout was found, but is corrupt: SRVE0227I: 1. Check that the class resides in the proper package directory. SRVE0228I: 2. Check that the classname has been defined in the server using the proper case and fully qualified package. SRVE0229I: 3. Check that the class was transferred to the filesystem using a binary transfer mode. SRVE0230I: 4. Check that the class was compiled using the proper case (as defined in the class definition). SRVE0231E: 5. Check that the class file was not renamed after it was compiled.

Clear

"A:\Program Files\ibm\WebSphere\AppServer\profiles\AppSrv01\temp\ADNode01\server1"

How to disable WAS security

wsadmin -conttype NONE
securityoff

If it fails backup security.xml file, change the very first enabled=”true” to enabled=”false” and restart the servers

@HowTo @WebSphere