Call Me at +91 7798846928 for Trainings

My photo
I am a Middleware Trainer and Consultant for Websphere (WAS, MQ), Weblogic, SOA and JBOSS Administration. Drop a mail to kvn@live.in for trainings and videos or call on +91 7798846928 for details.

Thursday, February 27, 2014

SSL Certificate management in Websphere Application Server

We should first understand why we need ssl communication and what is the impact of not installing the certificates.
Earlier whenever we want to make any banking transaction (e.g.: depositing the money, with draw money, transfer money, etc), make a reservation for Air travel, etc… we used to visit the branches, stand in the queue and wait for our turn and complete the transaction. But, in present day with time constraint, busy world none of us wants to waste time being in queue. Thanks to the internet based applications which made every work possible with a finger click. But, always a question remains how about the security to these transactions on the internet??.
The JSSE (JAVA Secured Socket Extension) is a set of packages that enable secure Internet communications. It implements a Java technology version of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It includes functionality for data encryption, server authentication, message integrity & optional client authentication.

SSL configuration:  SSL configuration help us in making secured communication between the application deployed inside the websphere and external client (browser) by encapsulating the data as required by JSSE. These certificates inside the websphere are mainly of 2 different types. They are as follows:-
(a)     Self Signed certificates ( or Internal or Default Certificates)
(b)     Signer Certificates (or Digital Certificates)

Self Signed Certificates: From websphere application server 6.1 onwards the self signed certificates are created automatically during the profile creation .i.e., whenever the profile is federated to cell self signed certificated are created automatically. The management of these self signed certificates is automatically taken care. The expiration of these certificates is monitored on a pre-defined schedule with notifications sent to system logs and email-sending capabilities. The certificates will be automatically replaced before expiration, by default, and, there will of course be a warning prior to the certificate replacement.

Signer Certificates: A signer certificate represents certificate and public key associated with some personal certificate. The signer certificate explicitly trusts connections made to or by the owner of the associated personal certificate. The signer certificate is typically made completely public by the owner of the personal certificate, but it’s up to the receiving entity to determine if it is a trusted signer prior to adding it to the trust store.
Following are the steps involved for installing the SSL signer certificates:-
1)      **Invoke the ikeyman from the profiles bin directory.

2)      In the IBM Key Management Utility, click on Key Database File and then New


3)    Choose Key database type and select JKS. Give any name to keystore like Test_key.jks.
4)      Click the Browse button and give location where we want to store keystore file.

5)      Click OK. Enter a password and click OK.

6)      Click Create then New Certificate Request to bring up the Create New Key and Certificate Request window.
7)      Type a Key Label, Common Name, Organization, Locality, State, and select a Country. Select 1024 for Key Size.




8)      Click on Key Database File and then Open. Locate the keystore file that you created when you generated the CSR. Type the password and click OK.

9)      Select Signer Certificates from the pull-down list.
10)   Click the button to Add…

11)   Login to WAS console with the valid credentials and Expand “Security” link at left hand side pane.
12)  Click on “SSL certificate and key management”.

13)  Click on “SSL configurations” link.

14)   Click on “Key stores and certificates” link.
15)  Select the scope by clicking on CellDefaultTrustStore (or NodeDefaultTrustStore) link from the list.
16)   Click on “Signer certificates” link.

17)   Click on Add button.
18)   Give alias name as “Test_Cert”.
19)  Give filename as complete path of “Test_Cert.cer” on server.

20)  Click apply and then OK and restart all the WAS server instances.

Monday, February 24, 2014

How to automate Thread Dumps in Websphere Application Server ?

WebSphere Application Server attempts to report potentially hung threads using the hung thread detector. Depending on how the hung thread detector policy is configured, a thread running for a certain interval (default 10 minutes) might be reported as hung and a WSVR0605W message is printed in the SystemOut.log file:
WSVR0605W: Thread <threadname> has been active for <time> and may be hung.  There are <totalthreads> in total in the server that may be hung.

By setting a WebSphere custom property, the hung thread detector will automatically generate a javacore, or print a thread dump in the native_stdout.log for Solaris and HP-UX, when a WSVR0605W message is written out to the SystemOut.log file. Javacores/thread dumps are needed for determining what code is running in the potentially hung thread, if the reported hung thread is blocked by other threads, and/or if bottlenecks exist in the JVM.
The com.ibm.websphere.threadmonitor.dump.java property was enabled in WebSphere Application Server V6.0.2.29, 6.1.0.19, 7.0, 8.0, 8.5 and later.
Set the com.ibm.websphere.threadmonitor.dump.java property to true. Where?

Detailed Steps:
1. Log on to the admin console of Deployment Manager (DMGR).
2. Go to Servers > Application Servers > server_name > Server Infrastructure > Administration > Custom Properties
3.   Click New and add the following property:
Name: com.ibm.websphere.threadmonitor.dump.java
Value: true

4.   Click Apply. Click OK and save the configuration changes.
5.   Restart the Application Server for the changes to take effect.

Do the same with Node Agent:
  1. From the DMGR administrative console, click System Administration > Node Agents > nodeagent_name > Additional Properties > Administration Services > Additional Properties > Custom Properties
  2. Click New and add the following property:
    Name: com.ibm.websphere.threadmonitor.dump.java
    Value: true
  3. Click Apply. Click OK and save the configuration changes.
  4. Restart the Node Agent for the changes to take effect.
 Starting in WebSphere Application Server 7.0.0.25, 8.0, 8.5, and later you can now specify an integer in the 'Value' field of this custom property, making it possible to limit the number of javacores/thread dumps produced. For example, setting "20" as the value, it will only generate javacores on the first 20 hung thread messages reported.
 

Sunday, February 23, 2014

How to generate Thread Dumps manually in Websphere Application Server 7 and analyze?

Application Server is nothing but a Java process. And as you are aware Java language supports multi-threding concept. The class file (could be a POJO/Servlet/JSP) whichever receives the request will decide what method  (also called as functions in other programming languages) of that class will handle the request. Once the appropriate method is engaged (to process the business logic/control commands), a thread id is assigned to it. In a similar fashion, many java threads will process in parallel thereby enabling multi-threading in Java on Websphere Application Server's JVM (server basically). In order to take a look at the objects (object is a variable in system memory which holds the end to end methods/variables being called for a particular java class) status currently the Heap memory allocated to JVM occupies we can generate a thread dump. A thread dump will detail the java methods currently under execution on a running JVM, and its execution time.

 

When/Why do we need to take thread dumps manually?

1.  To analyze the application server response time for a method call.
2.  To identify the root cause of an application server hang/thread hangs.
3.  To scrutinize the under-performing application server and suggest heap corrections or application performance issues with development team.

How to take thread dumps manually ?

There are 2 approaches in this category:
1.    In Linux/Unix/AIX/HP-UX/Solaris platforms, use "kill -3 <PID>" to generate thread dumps from OS level.

2.    You can do this from Websphere supplied wsadmin commands to generate one as well!
Navigate to Application server's profile_home bin directory and execute wsadmin command as shown below:
<WAS_HOME>\profiles\<profilename>\bin# ./wsadmin.sh -username XXX -password XXXX

$AdminControl invoke $JVMNAME dumpThreads 
Ex: wsadmin> $AdminControl invoke Server1 dumpThreads

At wsadmin prompt use the above command with JVMNAME = application server name as it appears in logs folder for this profile. Thread dump will be generated here under the bin folder or under profile_home or logs folder of that profile.

How to analyze a thread dump ?

"IBM Thread and Monitor dump analyzer for java" is the tool provided by IBM alphaworks developers portal. Download it and use it. The tool's built-in help notes will detail the options available in just a few steps. It is the most simple tool for thread analysis. There are many other analyzer tools available other than this. It is purely a matter of choice.

After reading this blog post kindly proceed with below link, to better understand automation of thread dumps.

How to automate Thread Dumps in Websphere Application Server ?

Wednesday, February 19, 2014

How to generate Heap Dumps manually in Websphere Application Server 7 and analyze?

Although heap dumps are generated only in response to a detected memory leak, you must understand that generating heap dumps can have a severe performance impact on WebSphere Application Server for several minutes. When generating multiple heap dumps manually for memory leak analysis, make sure that significant objects are leaked in between the two heap dumps. This approach enables problem determination tools to identify the source of the memory leak.

On JVM in WebSphere Application Server, you can manually produce heap dumps by using the wsadmin tool to run scripts with generateHeapDump operation on MBeans. 
On a Java virtual machines (JVM) in WebSphere Application Server, you cannot enable automated heap dump generation.
 WAS supports the Jacl and Jython scripting languages only, which will be used to interface with WAS through wsadmin.

Steps involved:

1.    Start the wsadmin scripting client.

Finding JVM objectName:
<wsadmin> set objectName [$AdminControl queryNames WebSphere:type=JVM,process=<servername>,node=<nodename>,*] 

2.    Invoke the generateHeapDump operation on a JVM MBean, for example, 
<wsadmin> $AdminControl invoke $objectName generateHeapDump
 
 
where, 
The following table explains variables in the command previously mentioned.
$ is a Jacl operator for substituting a variable name with its value
invoke is the command
generateHeapDump is the operation you are invoking
<servername> is the name of the server on which you want to generate a heap dump
<nodename> is the node to which <servername> belongs
 
After running the wsadmin command above, the file name of the heap dump is returned.

How to analyze a heap dump generated either wise?

Do not analyze heap dumps on the WAS machine because analysis is very expensive (CPU and disk I/O intensive). For analysis, transfer heap dumps to a dedicated problem determination machine.

Steps involved:

 1.    On the physical application server where a memory leak is detected, go to the WebSphere Application Server home directory (WAS_ROOT\PROFILE_ROOT\ProfileName).
2.     Heap dumps generated here will be in below format:
         heapdump.<date>.<timestamp>.<pid>.phd 
3.     Gather all the .phd files and transfer them to your problem determination machine for analysis.
Note: In some environments they will be configured to plain text format, you can toggle this on adminconsole websphere variables section.
4.     "Memory Dump Diagnostic For Java" is the tool from IBM for heap dump analysis and verbose GC analysis. There are many other third-party tools available to do the same.

Thursday, February 13, 2014

Websphere MQ Basics/Fundamentals

IBM WMQ ensures once and only once assured delivery of messages from one business application to another business application.

Pre-defined MQ Objects are 7:
1 Queue Manager
2 Queue
3 Channel
4 Listener
5 Process
6 NameList
7 Service

Queue Manager is initial and foremost object. Unless QM object is defined the other objects cant be created.
The remaining 6 objects can/will be defined in Queue Manager control. Therefore Queue Manager is a sub-system which can control MQ objects.
Queue Manager is SPOC for connecting Business Apps to perform PUT/GET operations on Queue objects.

CRTMQM: is a control command to create a queue manager.
Template: C:\> CRTMQM <QMNAME>
Example: CRTMQM BOCQM1

In production like environment we limit the Queue Manager name to 8 uppercase characters. 8 char is the limit for QM object name.
Name of the MQ server is <QMNAME>

DSPMQ: is a control command to track the current status of QM.
Template: C:\> DSPMQ -M <QMNAME>
Example: DSPMQ -M BOCQM1
Default status of QM is 'ended immediately'.


How to create other MQ objects once QM is defined/created?
QM service should be running.

STRMQM: is a control command to start the QM.
Template: C:\> STRMQM <QMNAME>
Example: STRMQM BOCQM1

DSPMQ: is a contol command which will display QM name and status properties.
Now check the status of QM!
Example: DSPMQ -M BOCQM1
Status of BOCQM1 Queue manager is changed to 'Running'

ENDMQM: is a control command which will be used to stop QM.
Template: ENDMQM -I <QMNAME>, ENDMQM <QMNAME>
Example: ENDMQM -I VANQM1, ENDMQM VANQM1

How to create other MQ objects once QM is defined/created and is running?
RUNMQSC: is a control command To switch/interfacewith QM and define other MQ objects. Once we execute this command, MQSC for QM will be enabled.
All 14 MQSC commands are constant.

Valid MQSC commands are:
1 ALTER
2 CLEAR
3 DEFINE
4 DELETE
5 DISPLAY
6 END
7 PING
8 REFRESH
9 RESET
10 RESOLVE
11 RESUME
12 START
13 STOP
14 SUSPEND

The above MQSC commands will be used for administering the MQ objects defined under QM.
END is an MQSC command which is used to quit the RUNMQSC console(QM control area/WMQ System Admin MQ access).

In IBM WMQ, queues are classified in 2 categories:
1 Pre-defined Q's
2 Dynamic Q's

Pre-defined Q's are 4 in count:
1 Local Q >> Holds business data/messages, therefore its also called business Q.
2 Alias Q
3 Remote Q
4 Model Q >> is a template to create Dynamic Q using model Q object definition and is done in run-time.

Dynamic Q's are 2 in number:
1 Temporary Dynamic Q
2 Permanent Dynamic Q

There are 4 special local Queues(which are not business queues) :
1 Transmission Q
2 Initiation Q
3 Dead Letter Q
4 System Q

GOTCHAS >> If "TYPE(QLOCAL) USAGE(NORMAL)" then such a queue is a business queue. If USAGE(XMITQ) is used instead, then it will become transmission queue.


DEFINE: is a RUNMQSC command used to create pre-defined objects other than QM.
Channel names are limited to 20 characters in length.
Other object names can be upto 48 characters.
Example: DEFINE QLOCAL(QNAME)

DISPLAY: is a RUNMQSC command which is used to display properties of MQ objects other than QM.
Example: DISPLAY QSTATUS(QNAME) TYPE(HANDLE)

ALTER: is a RUNMQSC command used to change the behaviour/property values of objects other than QM.
Example: ALTER QLOCAL(QNAME) PUT(DISABLED) GET(ENABLED)

MAXMSGL: is a Q property which indicates the maximum length of a message that it can hold.
Example: DISPLAY QLOCAL(QNAME) MAXMSGL, ALTER QLOCAL(QNAME) MAXMSGL(40).
By default the maxmsgl property of a q can hold a message of lenth 4 MB each. Remember that it shows maxmessagelength value in bytes.
The maximum message length allowed in MQ is 100MB. Default is 4MB.

gotcha >> TASKKILL /F /PID PROCESSID
Example: TASKKILL /F /PID 3442

DELETE: is a RUNMQSC command used to delete the MQ objects other than QM.
Example: DELETE QLOCAL(TESTQ)

Wednesday, February 5, 2014