Thoughts and Tutorials about Continuous Integration, Application Integration, SOA, IT Architecture, WebSphere and Liferay

Sep 27, 2014

How to create a new WebSphere profile


The WebSphere Application Server configuration is based on so called "profiles".
Profiles are containers which contain a set of configurations for one WebSphere Application Server node. A node is an installation of WebSphere. Therefore a node can contain several profiles.

For more information about webspheres configuration items please refer to this blog post.

How to create a profile

WebSphere profiles can be created in two ways:
  • GUI-based
  • Script-based
The GUI is not working on some Unix-based system.

GUI based

IBM provides a eclipse based tool called "Profile Management Tool" (PMT) to manage Websphere profiles.
Open PMT (located at <websphere-installation-path>/bin/ProfileManagement/|bat)
and click on the "Create" button to start the process for generating new websphere profile. A wizard appears, which guides you through the procedure.

Steps of the wizard:
  1. Select Application Server in the first step unless you want to create a deployment manager profile.
  2. Select Advanced profile creation otherwise PMT will automatically fill out some important values.
  3. Select the default application to install. If you wish to unselect one option please do so. However do not remove the administrative console.
  4. Select the installation path of the profile and the profile name. You can also select a pre-configured configuration set for the application server (default/peak/development) in this step.
  5. Define the node name, server name and host name for your profile.
  6. Enable administrative security if needed. This can be also done later with the administrative console.
  7. Select if you let the PMT generate the needed ssl certificates or if you wish to customize the certificate attributes.
  8. Select some more certificate attributes like validity and the common name.
  9. Define the network ports Websphere uses. Usually no changes required here.
  10. If you are running on windows, the PMT askes you if you wish to install WebSphere as a Windows Service. My recommandation is to do it NOT. So deselect the option.
  11. Select if you wish to additionally create a webserver profile. However this is just a configuration set for a already existing installation of a IBM HTTP Server. 
  12. Step 12 shows a summary if the selected configurations. Click "Create" to start the creation process.
After the creation process finished you can launch the first step console. To start the newly created profile execute
<profile-path>/bin/|bat <server-name>

Script based

IBM provides a command line tool called|bat to create profiles from command line.|bat is great for automate the process of generating Websphere profiles.
The officical documantion is availalbe here.

To create a new profile the attributes of the profile need to be passed to|bat as command line parameters.
My recommandation is to use so called response files (parameter = -response). Response files are simple test configuration files for the manageprofiles tool. A response file can look like this.


Execute the following command line to create the defined profile.

<websphere-installation-path>/bin/|bat -response <respone-file-path>

Sep 22, 2014

How to configure shared libraries in WebSphere

If you need some ressources like 3rd party libs in your application you can load them with a classloader. To do this you have to configure shared libraries in your websphere configuration first.

How to configure class loader in WebSphere

There are many reasons to load classes in a seperate classloader. Perhaps you need to load some classes before your application is able to start.

1. Put your libs (e.g. jar files) in a folder in your local file system.

2. Open your Admin Console, create shared libs and reference the file system path from step 1.

3. Create a classloader on your jvm and reference the shared lib config.
So switch to the jvm configuration page and klick on "Class loader" in
"Java and Process Management" tree.

Create a new Class loader by clicking the "new" button.
In the next step you have to choose your class loader order for the newly created class loader.

Then click on apply button.
Next you have to reference the shared libs created on step 2. So click on "Shared libraries references"
on the right side.

Choos your shared libs from the drop down list and klick ok button.

4. Now save you configuration and start/restart your jvm. 

Sep 21, 2014

Convert Certificates from Base64 (PEM) to Binary (DER)


X.509-Certificates are encoded in a Base64 ascii format called PEM or in a binary formed called DER.

The PEM format is the most used format. PEM certificates typically have file extentions such as .pem and .crt, .cer.

A DER formatted certificate contains all the same information as an PEM certificate, however it's encoded in a binary way. DER certificates typically have file extentions such as .der and .cer.
Java Platforms often use the binary DER Format.
However WebSphere Application Server handls both formats. WebSphere stores its certificates in a p12-File located in the config folder. p12 (PKCS#12) files are certificate stores which can contain  certificates with private and public keys. p12 files are usually protected with a password.

When dealing with Java Keystores (JKS) converting of certificates and key files is necessary.

Converting Certificate formats

It is possible to convert this two certificate formats using tools like the java keytool or openssl.

Converting with openssl

Converting certificates with openssl is straight forward.

Converting from DER to PEM:
openssl x509 -in <der certificate file> -inform PEM
<pem certificate file> -outform DER

Converting from PEM to DER:
openssl x509 -in <pem certificate file> -inform DER
<der certificate file> -outform PEM


Converting with java keytool

The java keytool does not allow to directly convert certificates. However when creating a java keystore (JKS) first, certificates can be imported and exported in different formats.

Generate a keystore and delete the mandatory certificate in it:
When generating the keystore with the first command keytool demands several inputs for the mandatory certificate it will generate.We do not need this certificate for convertions and we will delete it afterwards -  so you could type in some foo. I will use the alias test in this example.
keytool -genkey -alias test -keystore <key store file>
keytool -delete -alias test -keystore <key store file>

Converting from DER to PEM:
keytool -import -trustcacerts -alias test -file <der certificate file>
-keystore test.keystore 
keytool -exportcert -alias test -file <pem certificate file> -rfc

Converting from PEM to DER:
keytool -import -trustcacerts -alias test -file <pem certificate file>
keytool -exportcert -alias test -file <der certificate file>