Thoughts and Tutorials about Continuous Integration, Application Integration, SOA, IT Architecture, WebSphere and Liferay

Nov 13, 2009

LTPA Timeout in WebSphere Application Server (Authentication Timeout)


Web techniques like AJAX are designed for “long user sessions” especially in an business context.

In WebSphere an user session is limited by two timeouts:
  • JSession (Plain Java Session ID)
  • Lightweight Third-Party Authentication (LTPA) - IBMs proprietary authentication mechanism
If you need to increase the Session-Timeout to large values (like 8 h) you may observe some side effects of the LTPA security technology.

Jul 9, 2009

Web-Form-Portlet for Liferay (5.2.3) deployed in WebSphere 6.1

To deploy the external "offical" plugin "web-form-portlet" several steps need to be done first.

1. Create a web-form-portlet.war
1.1 Extract the web-form-portlet content (jars, jsps,...) from a tomcat-bundle of liferay (located in: "Liferay-Root\tomcat-6.0.18\webapps\web-form-portlet)
1.2 Create a new Dynamic Web Project in Eclipse and add the extraced content to it (tutorial here).
1.3. Create the folder /WEB-INF/classes/META-INF and add the ext-spring.xml.
1.4 Add the ibm binding files ibm-web-bnd.xmi and ibm-web-ext.xmi to /WEB-INF/
1.5 Extract the portlet-container.jar from your liferay-installation (/lib/ext) and add it to /WEB-INF/lib.
1.6 Edit the /WEB-INF/web.xml and add
<context-param>
<param-name>com.ibm.websphere.portletcontainer.PortletDeploymentEnabled</param-name>
<param-value>false</param-value>
</context-param>

below the </display-name>-Tags.
1.7 Export the web-form-portlet-application as a war-file

2. Deploy the web-form-portlet
2.1 go to the administrative console of websphere and navigate to "Applications > Enterprise Applications"
2.2 Deploy the web-form-portlet as an normal web-applicaton or as a module of your liferay-application (tutorial included in this post). Use the context-root web-form-portlet.
2.3 Start the web-form-portlet-application
2.4 Wait for liferay to detect the portlet (sometimes a restart is needed)

3. Add the web-form-portlet with the "Add application"-menu.


Hints:
1. Download a working web-form-portlet.war here (working on my installation :-).

2. If there are any problems, you can try to
2.1 Upload the war-file into the plugin installer portlet (control panel)
2.2 Get the generated WAR-File (generated from plugin installer portlet/hot deployment routine) and try the deployment again.

3. My /"WebSphere-System-Root"/lib/ext
contains
xml-apis.jar 194.205 19.05.2009 21:00 -a--
xalan.jar 3.078.601 19.05.2009 21:00 -a--
postgresql.jar 448.141 19.05.2009 21:00 -a--
portal-service.jar 1.786.637 19.05.2009 20:58 -a--
portal-kernel.jar 525.263 19.05.2009 20:58 -a--
mysql-connector-java-5.1.6-bin.jar 703.265 05.03.2008 17:27 -a--
mysql.jar 536.609 19.05.2009 21:00 -a--
mail.jar 356.519 19.05.2009 21:00 -a--
liferay-icu4j.jar 5.671.439 19.05.2009 20:18 -a--
jutf7.jar 12.299 19.05.2009 21:00 -a--
jtds.jar 294.726 19.05.2009 21:00 -a--
jta.jar 13.236 19.05.2009 21:00 -a--
jms.jar 25.998 19.05.2009 21:00 -a--
hsql.jar 643.806 19.05.2009 21:00 -a--
container.jar 98.372 19.05.2009 21:00 -a--
activation.jar 55.932 19.05.2009 21:00 -a--
4. My /"WebSphere-System-Root"/java/jre/lib/ext contains
portlet.jar 48.725 19.05.2009 21:00 -a--
PD.jar 1.148.187 29.06.2009 11:44 -a--
jdmpview.jar 251.574 29.06.2009 11:53 -a--
JawBridge.jar 15.661 29.06.2009 11:53 -a--
jaccess.jar 50.129 26.06.2009 14:46 -a--
iwsorbutil.jar 8.289 29.06.2009 11:53 -a--
indicim.jar 65.709 29.06.2009 11:53 -a--
ibmspnego.jar 41.146 26.06.2009 14:46 -a--
ibmsaslprovider.jar 64.506 26.06.2009 14:46 -a--
ibmpkcs11impl.jar 261.848 29.06.2009 11:53 -a--
ibmpkcs11.jar 83.819 29.06.2009 11:53 -a--
IBMKeyManagementServer.jar 475.560 29.06.2009 11:53 -a--
ibmkeycert.jar 232.590 29.06.2009 11:53 -a--
ibmjceprovider.jar 903.078 29.06.2009 11:53 -a--
ibmjcefips.jar 240.130 29.06.2009 11:53 -a--
ibmcmsprovider.jar 206.636 29.06.2009 11:53 -a--
healthcenter.jar 18.812 29.06.2009 11:53 -a--
gskikm.jar 1.110.163 29.06.2009 11:53 -a--
dtfj-interface.jar 16.696 29.06.2009 11:53 -a--
dtfj.jar 347.872 29.06.2009 11:53 -a--
CmpCrmf.jar 183.719 26.06.2009 14:46 -a--

Jun 4, 2009

Oracle 11 g with WebSphere 6.0

Officially the Oracle 11g JDBC driver no longer support Java 1.4 (which is used by WebSphere 6.0).
But you can use an Oracle 10g driver to access databases on an Oracle 11g database server from WebSphere Application Server 6.0.2 .
But some prerequisite need to be fullfiled:

  • WebSphere Fixlevel 6.0.2.29 or above needs to be installed
  • The datasource custom property oracle9iLogTraceLevel needs to be "null" or blank
Link:
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21314477

Jun 3, 2009

Examples for security vulnerabilities of web applications

Last week i found a quite good PDF about security vulnerabilities of web applications .
Its a Document from IBM for their software AppScan. Which is a security-scanner for web-apps.
The doc contains several examples (e.g.: for cross-site-scripting, SQL Injection, Failure to Restrict URL Access, Improper Error Handling, ...).

Download it here:
http://eichelgartenweg.googlepages.com/107647_may_06appscan_final.pdf
[or google for it]

May 11, 2009

Generate a (new) SSL Certificate for https [IBM HTTP Server]

[FOR HTTPS/SSL BETWEEN CLIENT AND WEBSERVER]
To generate a new CA-Signed SSL-Certificate for use with the IBM HTTP Server you need to start the iKeyman-Utility first. The iKeyman is the Key Management Tool from IBM.

1. Navigate to the /bin-directory of your IHS-Installation
2. execute
./ikeyman
to open the Key Management Tool
3. Use "Key Database File > Open" to open your password-protected Key-Database

4. After the Key-Database is loaded switch to "Personal Certificate Requests" (under "Key database content").
5. Click New and fill out the certificate request dialog. Depending on your CA-Provider (VeriSign,...) you may need to fill out the dialog in a special way (VeriSign demands the common name to be the domain)

6. Click "OK" to save the certificate request in a file.
7. now you need to provide the content of the certificate request file to your Ceritifcate Authority (e.g.: VeriSign). You will receiving a new certificate file from them.
8. If you received the certificate switch back to "Personal Certificates" (under "Key database content").
9. Click Receive and navigate to the certificate file. Click Ok to import the certificate file.

10. Open the httdp.conf-File of your IHS and replace the SSL-Cert-Name (new one will be displayed after the import of the new certificate in iKeyman). Usally the SSL-Cert is definded within a virtual host:
Example:
<VirtualHost "ip-adress":443>
ServerName www.test.com
SSLEnable
SSLClientAuth 0
SSLServerCert ihssslcert
AllowEncodedSlashes On
<Directory "/">
Options Indexes MultiViews
Order allow,deny
Allow from all

</Directory>

DocumentRoot /usr/IBM/HTTPServer/www-doc-root/
</VirtualHost>

11. Restart the IHS-Server (/bin/apachectl stop --> /bin/apachectl start)

Apr 29, 2009

WebDAV Access for Liferay deyployed in a WebSphere Server

Enable WebDAV-Access to Liferay 5.2.2 deployed in WebSphere is quite easy.
1. Deploy Liferay 5.2.2
2. Download the liferay-portal-tunnel-web-5.2.2.war from Liferay's Sourceforge Folder.
3. After downloading the war-File you need to deploy it into the SAME JVM with Liferay 5.
4. Restart the JVM
5. Create a new Folder in a Document Library-Portlet and click "Access from my desktop"
6. Copy the URL


7. Create a new network resource in Windows. Use this Tutorial http://jakarta.apache.org/slide/xp.html
Hint:
You can also use JackRabbit without Liferay in order to enable WebDAV with WebSphere.

Apr 21, 2009

Enable Client certificate authentication with IBM HTTP Server and WebSphere

If you want to provide client cert autentication for web apps deployed in WebSphere Application Server 6.1 you first need to edit the web.xml of the application.
You need to add a security-constraint:
<security-constraint id="SecurityConstraint_Test01">
<web-resource-collection id="WebResourceCollection_TestOZ01">
<web-resource-name>Test</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_CognosOZ02">
<description/>
<role-name>Tester</role-name>
</auth-constraint>
</security-constraint>
<login-config id="LoginConfig_1">
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Testrealm</realm-name>
</login-config>
<security-role id="SecurityRole_MIS01">
<description/>
<role-name>Tester</role-name>
</security-role>

After that you need to create a new virtual host in your ibm http server config.
To do that edit the httpd.conf
<VirtualHost <ip-adresse>:443>
ServerName www.yourvh.host.com
SSLEnable
SSLClientAuth 2
SSLServerCert <name of cert in key-db>
<Directory "/">
Options Indexes MultiViews
Order allow,deny
Allow from all
SSLClientAuthRequire o="<needed dn>"
</Directory>

RequestHeader set HTTPS %{HTTPS}e
RequestHeader set SSL_CIPHER %{SSL_CIPHER}e
RequestHeader set SSL_CLIENT_CN %{SSL_CLIENT_CN}e
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e

DocumentRoot /usr/IBM/HTTPServer/www-doc-root2/
</VirtualHost>

Then you need to add the root-cert of the certificate you want to use for authentification to the key-database of your ibm http server.
1. Open the IBM Key Management utility ((i)keyman) and add the root-cert (e.g. o=host.com). Use the same name like in the httpd.conf (<name of cert in key-db>)
2. Save the changes to the key-database
3. Restart your IBM HTTP Server

After that edit the virtual host settings in WebSphere. In the administrative console go to Enviroment > Virtual Hosts and add the new Virtual Host (e.g.: Certificate Host) with its Host aliases.

The plugin-cfg.xml of your IBM HTTP Server should now be automatically updated with a new Virtual Host entry.

<VirtualHostGroup Name="Certificate Host">
<VirtualHost Name="<host-alias1>:*" />
<VirtualHost Name="<host-alias1>:*" />
</VirtualHostGroup>


Mar 30, 2009

Web service cache [client sided]

To enable a client side cache for web service requests (in a WebSphere client) you need first to activate the dynamic cache service and servlet caching (see post before).
Then you need to create a cachespec.xml

<cache>
<cache-entry>
<class>JAXRPCClient</class>
<name>http://"your-url":9080/service/"your service"</name>
<cache-id>
<component id="hash" type="SOAPEnvelope"/>
<timeout>60</timeout>
</cache-id>
</cache-entry>
</cache>

and place it into the WEB-INF-Folder of your client app.
The cachespec.xml above is configured to compare the different requests through a HASH-Value (which is calculated for every request).
This is the easiest way to implement a client web service cache.
For more infos visit this site.

Mar 20, 2009

Setup Web service cache [server sided]

In this post i will explain how to use the web service server cache in WebSphere Application Server 6.1.

1. First you need to active the dynamic cache service and servlet caching in WebSphere via the administrative console
1.1. Navigate to Servers > Application servers > "your server" > Container services > Dynamic cache service
1.2 Activate "Enable service at startup" and click "OK" and "Save" to apply this setting.
1.3 Navigate to Servers > Application serves > "your server" > Web Container Settings > Web container
1.4 Activate "Enable servlet caching" and click "OK" and "Save" to apply this setting.
1.3 Restart server

2. Deploy the dynamic cache monitor to get a view of current state of the dynamic cache service
2.1 Locate the CacheMonitor.ear under "WebSphere-System-Root"\installableApps\
2.2 Deploy the ear-File (standard context root: cachemonitor)

3. Add a cachespec.xml (and the cachespec.dtd (located at /"websphere-sys-root"/properties) to your webservice project (Folder WEB-INF/)
3.1 The cachespec.xml should look like this:
<cache>
<cache-entry>
<class>webservice</class>
<name>"service name"</name>
<sharing-policy>not-shared</sharing-policy>
<cache-id>
<component id="Hash" type="SOAPEnvelope" />
<timeout>420</timeout>
</cache-id>
</cache-entry>
</cache>
"service name" = e.g. /services/Repository
3.2 (Re-)deploy the Web service application

Hint:
A sample cachespec-file can be found at "WebSphere-System-Root"/properties

Hint 2:
To enable web service cache through a Web services gateway (WSGW) see this link.

Mar 10, 2009

Generate a .NET Web service client for a Java EE Web service

[BETA] :-)
One of the advantages of Web services is the interoperability.
Thus its possible to use a .NET-Client for a Web services written in Java.
Just the WSDL is needed.

1. Install the newest Mircosoft .NET SDK
2. Locate the wsdl.exe in the .NET SDK-Installation (e.g. C:\PROGRA~1\Microsoft.NET\SDK\v2.0\Bin)
3. Execute
"SDK-Location (bin)"\wsdl.exe "Your WSDL-File"
4. You should now see a "your service"Client.cs - File. The .cs-File is the source code for the web service client proxy. These code/methods is/are used to access the web service.
5. To access the web service you need to instantiate the proxy client in your client code
YourService proxy = new YourService ();
To call the needed methode use something like
String result = proxy.findItem("123454");

5. To compile the C-Sourcecode without your IDE locate csc.exe in of the .NET SDK-Installation (e.g. C:\PROGRA~1\Microsoft.NET\SDK\v2.0.50727)
6. Execute
"SDK-Location"\csc.exe /t:exe /r:System.Web.dll,System.XML.dll,System.Web.Services.dll "your client code file" "proxy client code file"

7. You should now have a EXE-File of the client.

8. Test IT!

Feb 20, 2009

Enable SSL between WebServer (plugin-in) and the WebSphere Application Server

To setup a new SSL-Connection between a IBM HTTP Server (IHS) and your WebSphere Application Server (6.1) a (self-signed) CA SSL certificate has to be propageted to all involved servers.

When setting up a IHS via the administrative console SSL between IHS and WebSphere AppServer should be enabled by default.

1. First take a look at your plugin-cfg.xml of your IHS installation and search for the entry <Property Name="keyring"...>
<ServerCluster CloneSeparatorChange="false" GetDWLMTable="false" IgnoreAffinityRequests="true" LoadBalance="Round Robin" Name="server1_testNodeoglxanclatest32Bit_Cluster" PostBufferSize="64" PostSizeLimit="-1" RemoveSpecialHeaders="true" RetryInterval="60">
<Server ConnectTimeout="0" ExtendedHandshake="false" MaxConnections="-1" Name="testNodeoglxanclatest32Bit_server1" ServerIOTimeout="0" WaitForContinue="false">
<Transport Hostname="oglxanclatest" Port="9080" Protocol="http"/>
<Transport Hostname="oglxanclatest" Port="9443" Protocol="https">
<Property Name="keyring" Value="/opt/HTTP/Plugins/config/test-webserver/plugin-key.kdb"/>
<Property Name="stashfile" Value="/opt/HTTP/Plugins/config/test-webserver/plugin-key.sth"/>
</Transport>
</Server>
</ServerCluster>

This tags defines the location of the Key-Database for the secure connection between your IHS and your AppServer.
2. In administrative console of WebSphere go to Servers > WebServers > "your webserver" > Plugin-in properties


On this page all necessary entries should be done automatically. To re-copy the default plugin-in.key to your IHS press "Copy to Webserver key store directory".
3. Restart your IHS
###############################################################
To manually setup SSL between IHS and WebSphere first locate the plugin-key.kdb on your AppServer. Than copy over the plugin-key.kdb to the IHS into the specified location (get location form picture above). Then edit the plugin-cfg.xml of the IHS (see tag from step 1). Then restart your IHS and your WebSphere instance.

Feb 10, 2009

Setup a CMS workflow in Liferay 5.2.1

Sometimes there is a need to sperate/limit the cms permissions for some users.

These users can be an article editor or an article approver.

Create editor role:

1. Sign in as administrator (e.g. test@liferay.com/test)

2. Go to Control panel > Roles

3. Create a regular editor role

4. Click Action > Define permissions > Add Portlet Permission


5. Select Web Content

6. You will get a complete list of all avaiable permissions. Select the permissions you want to assign to the editor role.


Create approver role:

1. Sign in as administrator (e.g. test@liferay.com/test)

2. Go to Control panel > Roles

3. Create a regular editor role

4. Click Action > Define permissions > Add Portlet Permission

5. Select Web Content

6. You will get a complete list of all avaiable permissions. Select the permissions you want to assign to the editor role.

Assign members to roles

1. Sign in as administrator

2. Go to Control panel > Roles

3. Click Action > Assign member on the role you want to edit

4. Select the users and click "Update Associations" (->Avaiable)

Activate Versioning

1. Add to portal-ext.properties:



journal.article.force.increment.version=true

2. Restart Liferay/server

3. Test IT!

Mail settings

1. Edit portal-ext.properties


#
# Configure email notification settings.
#

#These adress should be a approver mail box

#If a article is created a mail will be send to this adress (from article creators address)

#If the article is approved a mail will be send from these address to the article creator)
journal.email.from.name=Web Content Workflow
journal.email.from.address=
journal.email.article.approval.denied.enabled=true
journal.email.article.approval.denied.subject=com/liferay/portlet/journal/dependencies/email_article_approval_denied_subject.tmpl
journal.email.article.approval.denied.body=com/liferay/portlet/journal/dependencies/email_article_approval_denied_body.tmpl
journal.email.article.approval.granted.enabled=true
journal.email.article.approval.granted.subject=com/liferay/portlet/journal/dependencies/email_article_approval_granted_subject.tmpl
journal.email.article.approval.granted.body=com/liferay/portlet/journal/dependencies/email_article_approval_granted_body.tmpl
journal.email.article.approval.requested.enabled=true
journal.email.article.approval.requested.subject=com/liferay/portlet/journal/dependencies/email_article_approval_requested_subject.tmpl
journal.email.article.approval.requested.body=com/liferay/portlet/journal/dependencies/email_article_approval_requested_body.tmpl
journal.email.article.review.enabled=true
journal.email.article.review.subject=com/liferay/portlet/journal/dependencies/email_article_review_subject.tmpl
journal.email.article.review.body=com/liferay/portlet/journal/dependencies/email_article_review_body.tmpl

2. Restart Liferay/server

Jan 28, 2009

Liferay 5.2.0/5.2.1/5.2.2/5.2.3 on WebSphere 6.1

(Should work with WebSphere 7 too)

The new Liferay-Versions 5.2.x can be downloaded here.

But deployment in WebSphere 6.1 is still a bit tricky.

Steps:
1. Deploy the Liferay 5.2.x war-File (with dependencies)
2. Move portal-kernel.jar and container.jar to "WebSphere-System-root"/lib/ext
3. Move icu4j.jar (not needed in 5.2.2./5.2.3 - new file name: liferay-icu4j.jar) and portlet.jar to "WebSphere-System-root"/java/jre/lib/ext
4. Download the sun saw-api (saw-api.jar) or extract it from the dependencies (can be downloaded seperatly) and move it to /WEB-INF/lib
5. Setup Database-Connection either in portal-ext.properties or in ext-spring.xml
5.1 To setup the database in portal-ext.properties take a look at portal-impl.jar//portal.properties (chapter JDBC). With this setup Liferay 5.2 will use the apache common connection pool.
5.2 To use the connection pool of WebSphere you need to create a file called ext-spring.xml and place it into /WEB-INF/classes/META-INF. Download a sample ext-spring.xml file here.

########
Liferay 5.2.0 only##########

6. For Liferay 5.2.0 only: deactivate the javascript fast load option in portal-ext.properties with this value


javascript.fast.load=false

It seems the fast load option (yui compression of JS/CSS files) is NOT correctly implemented (for WebSphere).

WORKAROUND:
Put theses files into /html/js


Edit JavaScript-Settings in portal-ext.properties

##
## JavaScript
##
javascript.barebone.files=\
\
#
# Self-packed files
#
\
barebone_packed.js
#
# Specify the list of everything files (everything else not already in the
# list of barebone files).
#
javascript.everything.files=\
\
#
# Self-packed files
#
\
everything_packed.js
JavaScript files.

javascript.barebone.enabled=true

javascript.fast.load=false

javascript.log.enabled=false


###############################################################

7. Restart your server.

Hint:
Its also possible to download the dependencies seperatly and then copy them to the lib-Folders of WebSphere.
Probably a change in class loader order will have same effect (Applications > Enterprise Applications > "your app" > Class loading and update detection)

Jan 5, 2009

MySQL and WebSphere Application Server

WebSphere doesnt have a template for connections to MySQL-Databases.

To setup one, you need to create a JDBC-Provider first:
1. Go to Resources > JBDC > JDBC Provider > New to create a new Provider (Driver)
Enter in Step 1:
Database type: User-defindedImplementation class name: com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource



Enter in Step 2:
Path to MySQL-Driver-File (can be downloaded here)


Finish the creation in Step 3 (Summary) with "Finish".

Data source:
1. To create a data source for this JDBC Provider go to Resources > JDBC > JDBC Provider > "YOUR JDBC PROVIDER" > Data sources > New

Enter in Step 1:
Your desired Data source name
Your desired JNDI-Name (e.g. jdbc/LiferayPool)

Enter in Step 2:
No changes

Finish the creation in Step 3 with "Finish"

2. Go to Resources > JDBC > data sources > "your data source" > custom properties
Create these properties:
user = "database user"
password = "database user password"
serverName = "database server name/ip"
databaseName = "name of database"


Save and synchronize to finish the setup.

Jan 2, 2009

Client Authentication with User Certificates

If you are creating your own self signed user certificates (with you own CA) you can easily edit the httpd.conf of your IBM HTTP Server to use these certificates for a restriced access.
After adding a prober CA root cert (see this post)

open the httpd.conf and edit (one) your virtual host(s)

<VirtualHost <ip-adress>:< port>
ServerName <server name>
SSLEnable
SSLClientAuth 2
SSLServerCert <ssl server cert>
<Directory "/" >
Options Indexes MultiViews
Order allow,deny
Allow from all
SSLClientAuthRequire <your ca root dn>
</Directory>

RequestHeader set HTTPS %{HTTPS}e
RequestHeader set SSL_CIPHER %{SSL_CIPHER}e
RequestHeader set SSL_CLIENT_CN %{SSL_CLIENT_CN}e
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e

DocumentRoot /usr/IBM/HTTPServer/www-doc-root2/
</VirtualHost>

Add SSLClientAuth 2 for a required client authentification.
Add SSLClientAuthRequire <your ca root dn> to a directory (/ for all directories).
Example: SSLClientAuthRequire o="ibm.com"