Wednesday, July 16, 2014

VMMSYNC workings and how to look at debug logs.

QUICK OVERVIEW
VMMSYNC is a crontask provided within Maximo products. As with all crontasks it can be set to run at regular intervals. The crontask makes contact with a component of WebSphere called VMM (Virtual Member Manager) via API calls. The calls will be actioned against a federated repository and will request information on users, groups and group assignments from within the federated repository. The information must previously have been populated into the Federated Repository from LDAP(s). VMMSYNC can only be used with WebSphere as it talks directly to VMM which is a security component of WebSphere.WebLogic users will need to use LDAPSYNC which gets its information directly from a single LDAP.
VMMSYNC is a ‘ONE WAY’ synchronisation
i.e. If you delete a user in Maximo, the LDAP will not be updated to remove the user.
LDAP = Lightweight Directory Access protocol
Using an LDAP product allows users to authenticate against a central security product rather than authenticating internally within an application (e.g. Maximo)
Maximo supports 2 LDAP products – Others may work but are not officially supported.
Microsoft Active Directory (MSAD)
Tivoli Directory Server (TDS)
When Maximo makes use of LDAP, only authentication (userid/password check) happens against the LDAP. Users authorisations to individual Maximo applications / actions etc after they have authenticated (logged in) are based on information in the group related tables within Maximo.
When using LDAP for authentication, the user related tables still need to be populated/synchronised with LDAP in Maximo to allow users to access and use Maximo (and that is what VMMSYNC does). VMMSYNC is used to populate the tables from the LDAPs information (Via WebSphere VMM/Federated Repository.
So, the first thing to realise is.......If a user cannot be seen within WebSpheres Federated Repository then VMMSYNC will not be able to populate their information to Maximo. Check you can see the user in WebSphere before wasting time troubleshooting VMMSYNC. If you cannot see them, then your problem is not with VMMSYNC, but with populating the federated repository.

The Crontask
VMMYNC is a Maximo CRONTASK.
You can have multiple ‘instances’ of the crontask.
The following are the main parameters to set up for the crontask instance.

1.1. Principal - The user used to access VMM/WebSphere e.g. cn=wasadmin,ou=Users,ou=SWG,dc=itsm,dc=com
2.2. Credential – Password for principal
3.3. Usermapping – Update basedn in the xml to point to starting point in LDAP for user sync e.g. basedn>ou=Users,ou=SWG,dc=itsm,dc=com

asedn The rest of the user xml may be customised, but must match the LDAP entries and the Maximo database tables
4. GroupMapping – Update the basedn to point to the starting point in the LDAP to search for groups.
5. Check the GroupSearchAttribute (e.g. cn) and UserSearchAttribute (e.g. uid) match those used in the LDAP entries for groups and users.

Ensure the crontask instance is enabled and has a realistic schedule set…… vmmsync can take a long time to run when many users and groups are being sync’d.
A good idea might be to run it on a once a day basis, scheduled outside of normal working hours if possible.

VMMSYNC Crontask Instance XML
The User XML populates the following tables
MAXUSER
PERSON
PHONE
EMAIL
The Group XML populates the following tables
MAXGROUP
GROUPUSER
Extracts showing main USER xml from a VMMSYNC instance.

BASIC DEBUGGING
Set the VMMSYNC Cron Task into debug mode in Maximo

1. Go to the Logging application (under System Configuration | Platform Configuration).

2. Find and select the crontask root logger (not crontaskmgr) in the upper Root Loggers pane.

3. Find and select the VMMSYNC logger in the lower Loggers pane.

1. If one does not already exist, add it:

1. Click the New Row button in Loggers pane while the crontask Root Logger is selected.

2. In the resulting pane click the Detail Menu icon for the Logger parameter.

3. Select VMMSYNC from the Select Value dialog.

4. Click the Select Value button on the Log Level parameter.

5. Select DEBUG from the Select Value dialog.

6. Save the record.

7. Select Apply Settings from the Select Action menu.

Then temporarily disable any other VMMSYNC instances (for clarity in the logs) and allow the vmmsync instance of interest to run.
Save the logs e.g. SystemOut.log and SystemErr.log
Review the debug logs.
First find this message which is the start of the sync
BMXAA6790I - VMM Synchronizer is going to perform Full Synchronization
Check the basedn matches the vmmsync instance xml e.g.
Synchronizing VMM users from base: {OU=Admin,DC=Office,DC=EMEA,DC=local}, using filter: {PersonAccount}
Next is the request made to VMM…this should match the xml regarding properties to get from VMM
[DEBUG] Synchronizing VMM Users: VMM search request
s:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xmlns:sdo="commonj.sdo" xmlns:wim="http://www.ibm.com/websphere/wim">

     type="wim:SearchControl" expression="@xsi:type='PersonAccount' and uid='*'">
       :properties>displayName</wim:properties>
                       …more properties here….
       :searchBases>OU=Admin,DC=Office,DC=EMEA,DC=local
m:searchBases>
     type="wim:PageControl" size="100"/>


Next is the response back from VMM with the user records (each user is listed as an entity)
[DEBUG] Synchronizing VMM Users: VMM search results
s:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:sdo="commonj.sdo" xmlns:wim="http://www.ibm.com/websphere/wim">

     type="wim:PersonAccount">
       rnalName="CN=David,OU=Service Accounts,OU=Administration,DC=headoffice,DC=EMEA,DC=local"
           repositoryId=“REPOSNAMEHERE" uniqueId=“g3r3y6r962d774b89ab4dc78d139cf3" uniqueName="CN=DavidL,OU=mygroup,OU=Admin,DC=Office,DC=EMEA,DC=local"/>
At the end of the user list you may get a cookie. This means it is not the last page to be returned…..look for the next set of results that show this same cookie to continue working through the users

    type="wim:PageResponseControl" cookie="68704D53656172636843616368654E616D6574696D653A31333932303333383730333334"    totalSize="138"/>

You will see also how many users were synchronised e.g.
[INFO] BMXAA6794I - 134 User changes were processed
The Group xml is set out in a very similar fashion to the user xml. i.e. basedn, attributes to get from VMM, Tables to update etc.
Log entries are also very similar e.g.
[DEBUG] Synchronizing groups from base
Followed by the requests and the response for groups and groupmembers
VMM Groups: VMM search request
VMM Group members get request (One for each group found).
TIPS
The biggest tip for debugging is try to disable all other VMMSYNC crontasks, if you have more than one, when creating debug logs. It can get very confusing (for me at least) when many are running at the same time. They also tend to fill the logs quickly, so pertinent information can be lost if the logs size settings are for small files.
Scan the logs for any errors reported by Maximo or WebSphere during the process. including request timeouts. VMMSYNC can take some time to run (especially if thousands of users) and it is not uncommon for it to receive a transaction timeout from WebSphere if the transaction timeout is set too low.
Double check that any customised XML matches the LDAP data and also that any new fields created in Maximo tables are long enough for the data being placed in them and that the data type is correct for the field.Check the 'scope' set in the xml as this determines if just that one level in the LDAP is sync'd or if all sublevels are also sync'd.
Do not run it too frequently. I have seen cases where the sync is nowhere near finished and is then started again.
SQL logging can be turned on for VMMSYNC to show the table updates. This can be useful if everything looks to be correct, users are returned by VMM but do not make it into the Maximo tables.

Maximo Mobile change the color of the start center lables.

In Maximo Mobile there is a file called Mobilestyles.xml located in the following directory

maximo_home\mobileapplications\framework\mobile-base-android-resources\res\values

This files is where you can change the color of the text, in my example I will use red.

This is a color predefined in the colors.xml located in the same directory

Open the mobilestyles.xml using a text editor and look for the following section,

Change @color section to the color you want. Here I am using red,

You could also use #FF0000 instead of the word red. Since this is already defined in the colors.xml we can simply enter red.

save this file and run packagemobileandroid.cmd

The result will be red labels.

ORACLE SPECIFIC TUNING in Maximo

create indexes and increase some parameter on database end like

Increase SGA size to 2560 MB
Increase Session Cached Cursor 150
Increase PGA Size 512MB

SQL SPECIFIC Technotes:

Maximo Performance on SQL Server - Turning off Page Locking

http://www-01.ibm.com/support/docview.wss?uid=swg21268567

Maximo 7.5 Performance Technotes

SCCD 7.5.1 Performance Education Session

http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg27038763

Correcting Slow User Queries

http://www-01.ibm.com/support/docview.wss?uid=swg27038272

http://www-01.ibm.com/support/docview.wss?uid=swg21669275&myns=swgtiv&mynp=OCSSWK4A&mynp=OCSS6HJK&mynp=OCSSLKT6&mynp=OCSSKTXT&mync=E

Maximo Performance Best Practices

http://www-01.ibm.com/support/docview.wss?uid=swg27035806

Best Practices for System Performance 7.5

https://www.ibm.com/developerworks/mydeveloperworks/groups/service/html/communityview?communityUuid=a9ba1efe-b731-4317-9724-a181d6155e3a#fullpageWidgetId=W5f281fe58c09_49c7_9fa4_e094f86b7e98&file=c51d5f5b-dea3-4043-a81f-d5213fc10063

JVM Separation Process

http://www-01.ibm.com/support/docview.wss?uid=swg21570544

Out Of Memory errors on the systemout.log

http://www-01.ibm.com/support/docview.wss?uid=swg21499074

Database Connection leak

http://www-01.ibm.com/support/docview.wss?uid=swg21622010

Using System Instance Properties to Control Cron Tasks

http://www-01.ibm.com/support/docview.wss?uid=swg21575741

Parameters to improve Maximo performance using WebSphere

http://www-01.ibm.com/support/docview.wss?uid=swg21261874

Stopping Data from Auto-populating List Tab

http://www-01.ibm.com/support/docview.wss?uid=swg21624881

Configuring Autofill Properties

http://www-01.ibm.com/support/docview.wss?uid=swg21588861&myns=swgtiv&mynp=OCSSLKT6&mync=E

WebSphere 7.0 fixpack 27 or higher with Java SDK 1.6.0 SR12 Cumulative Fix

http://www-01.ibm.com/support/docview.wss?uid=swg21578450

Understanding Memory Requirements For 32 And 64 Bit Systems

http://www-01.ibm.com/support/docview.wss?uid=swg21405335

Understanding Search Methodologies

http://www-01.ibm.com/support/docview.wss?uid=swg21321289&lnk=uctug_tivoli_nwsltr_MAM

Monday, June 23, 2014

IBM SCCD 7.5.1.0 Process Content Packs

SCCD 7.5.1.1 Process Content Pack - Hardware Asset Management

http://www-304.ibm.com/software/brandcatalog/ismlibrary/details?catalog.label=1TW10CO0T

SCCD 7.5.1.0 Process Content Pack - Service Catalog

https://www-304.ibm.com/software/brandcatalog/ismlibrary/details?catalog.label=1TW10CO09

SCCD 7.5.1.0 Process Content Pack - Software Asset Management

http://www-304.ibm.com/software/brandcatalog/ismlibrary/details?catalog.label=1TW10CO0G

Using Content Installer behind a firewall (SCCD)

Even if you cannot access the internet, you can still install Smartcloud Control Desk content packs using using Content Installer. However, you must first download the content pack remotely and then copy it to your SCCD server.

To install content packs from behind a firewall, complete the following steps.

Create an XML file called ContentSource.xml in the C:\temp directory on your Smartcloud Control Desk server system that contains the following text:

xmlns:tns="http://www.ibm.com/tivoli/tpae/ContentCatalog"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="ContentCatalog.xsd">

    Enter the version number of the Content Installer pack, for example 7.5.1
    mriu
    Enter the name of package
    Enter a description of the package here


    Describe the category of the content
    file:////C:\temp\TestPackage.zip
Edit the name and description and the category according to the content that you are installing. Change the file name in the URL to the name of the content pack zip file.
Save the file.
Copy the content pack zip file to the C:\temp directory on the server.
Go to the ISM Content Installer application: System Configuration>IBM Content Installer.
Click the New icon.
Enter the location of the ContentSource.xml that you created in step 1 and a description. The file name in our example is: file:////c:\temp\ContentSource.xml
Click Save.
Click the newly created content source.
Click the download link to install the content.

Thursday, June 12, 2014

WebSphere: wasadmin – how to recover a lost password

Encoding vs Encrypting

You might know that all sensitive information about security is entered into the security.xml document that can be found at [$WAS_HOME]/profiles/[profile name]/config/cells/[cell name] folder. In Windows this might equate to:

C:\IBM\Websphere\AppServer\profiles\Dmgr01\config\cells\cell01\security.xml

Linux/AIX would likely be something like:

/usr/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/cell01/security.xml

This document contains the name and password information for the primary admin account for the WebSphere cell – in most cases that will be the default account [wasadmin]. The password is, however, not encrypted but rather encoded. Encryption would use an encryption key to hash the password and without that key you would not be able to retrieve it. Encoding however is a whole other deal – the coding/decoding information is integral to WebSphere itself and is the same for any install anywhere in the world. That means if you encode the same password anywhere, the resulting hash will be exactly the same no matter which server you do it on.
Now, this is not great security in and upon itself and I will not go into details on this – other than it is really important to lock down the physical access to to any WebSphere server you are in charge of, all the way down to file rights …. or you might regret it at some later time.

How to Decrypt:

I am not the first blogger out there that is writing about this, but nobody every wrote it out for Windows servers so I am going to concentrate on that OS right now, and most of the blog entries out there are for older versions and the proces has changed since. Here some of the articles that I have read over the last few years Robert Farstad, Robert Maldon, and a few more . . . . google the conent here and you will find them.
Here some basic details:

WebSphere Version: 7.0.0.21 (the process is the same for any V 7.x server)
$WAS_HOME=C:\IBM\WebSphere\AppServer

Step 1: find the wasadmin information

Open the security.xml, find the entry for the encrypted password: it always starts with {xor}, in my case it is:

userId=”wasadmin” password=”{xor}LDo8LTor”

Step 2: Find your WAS Version Specific Java Plug-in Folder:

In my case it was:

C:\IBM\WebSphere\AppServer\deploytool\itp\plugins\com.ibm.websphere.v7_7.0.2.v20110524_2321\

Step 3: Find your java home and open a command prompt

In my case this equates to

C:\IBM\WebSphere\AppServer\java\bin\

Change to this folder in the command prompt you opened.

Step 4: Run the Password Encoder/Decoder:

This is where you need the folder location and the encoded password you looked up in the previous steps.
In C:\IBM\WebSphere\AppServer\java\bin\ run the following command

java – java.ext.dirs=C:\IBM\WebSphere\AppServer\deploytool\itp\plugins\com.ibm.websphere.v7_7.0.2.v20110524_2321\wasJars\ -cp securityimpl.jar:iwsorb.jar com.ibm.ws.security.util.PasswordDecoder {xor}LDo8LTor

This above command is one long command string (it might wrap depending on your screen) and it will create the following output in the command prompt:

encoded password == “{xor}LDo8LTor”, decoded password == “secret”

The process for Linux/AIX is basically the same, however the folder structure will be different. The commands are about the same but depending on which version of Linux you are running the Java switches might need some fidlding – though the base does not change.

MAXIMO Blog

Search This Blog