Archive for

February, 2010

...

February 24, 2010 10:58 pm

Deploy issue when running master and secondary TIB/Admin

no comments
by Serge    in administrator

TIBCO domain needs a repository where all service data are stored. This repository can be in xml files near TIBCO Administrator or it can be in a database. When you run both master and secondary servers of TIBCO Administrator, it is better to store repository in a database, because if it stored in files, both Administrator instances have to maintain its own copy of the repository. So, it could be a problem with syncing in some cases. When the copy of repository on the secondary server is out of sync, we can experience a problem with deploying and starting applications.

The errors seen in the admin log file:

2010 Feb 15 13:24:21:267 GMT +4 Error [ApplicationConfiguration] AESDKJ-0000 [http-8090-Processor11] COM.TIBCO.hawk.talon.MicroAgentException: Request timed out
2010 Feb 15 13:24:23:720 GMT +4 Error [Administrator] AESDKJ-0000 [http-8090-Processor11] ClientAbortException: java.net.SocketException: Connection reset by peer: socket write error

And in the tsm log files errors are similar to:

2010 Feb 15 13:23:10:335 GMT 4 tsm Debug [] [TRA-000000] tsm.syncBindings: probably admin server is not available. exception message: com.tibco.pof.entity.EntityStoreException: error creating client Server not responding
Caused by: com.tibco.infra.repository.OperationFailedException: error creating client Server not responding at com.tibco.infra.repository.RepoFactory.newClient(RepoFactory.java:3046)

Workaround is to stop secondary Administrator and deploy then. Solution is to stop secondary Administrator, remove all repository files on the secondary server, then copy repository files from the master. Usually all repository files in the <tibco_home>\administrator\domain\<domain_name>\data folder. Strategic decision – migration to a database storage.

By the way, when you plan a backup/restore solution, it makes sense to backup repository only on the master TIBCO Administrator, but in the case of recovery, restore it on both at the same time.


share and enjoy:
  • Twitter
  • Google Buzz
  • Facebook
  • LinkedIn
  • Digg
  • del.icio.us
  • Technorati
  • StumbleUpon
  • email
tags: , ,
No comment?
February 17, 2010 3:37 pm

Enabling Informix SSO authentication

no comments
by Serge    in informix

The idea was to let users, who have accounts in the MS AD, log on to Informix database running on Solaris without requiring to enter credentials again as they are already authenticated in the domain on their Windows workstations. So, we will configure Informix for Kerberos and Single Sign-On (SSO) authentication for Windows clients. This configuration can be called the logical conclusion of a previous configuration with PAM.

Informix box must be preconfigured and joined AD domain like in this my example for Solaris and MS AD. Installing the latest patches is strongly recommended as some related bugs were fixed recently in Solaris and Informix.

  1. On any Domain Controller:
    • create a service account in AD, one per server/alias
    • run setspn -A <sso_alias>/<informix_server>.domain.com@DOMAIN.COM <informix_server>
    • run ktpass -princ <sso_alias>/<informix_server>.domain.com@DOMAIN.COM -mapuser <serv_acc>@DOMAIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set -pass <serv_acc_password> -out my.keytab
    • upload generated keytab file to Informix server
  2. On the Informix box:
    • run ktutil and insert generated key to existing keys file:
      ktutil:  rkt /upload/my.keytab
      ktutil:  wkt /etc/krb5/krb5.keytab
      ktutil:  quit
    • run klist -e -k /etc/krb5/krb5.keytab to check keys file
    • create <informix_home>ids/etc/concsm.cfg file with one row like this:
      GSSCSM("/app/informix/ids/lib/csm/libixgss.so", "", "c=1,i=1")
    • add sso alias to Informix onconfig file
    • add sso alias to sqlhosts file:
      ssoalias         ontlitcp        hostname      1526   s=7,csm=(GSSCSM)
  3. On all Windows workstations:
    • latest version of IBM Informix-Connect must be installed
    • create concsm.cfg file in the C:\Program Files\IBM\Informix\Connect\etc folder with one row like this:
      GSSCSM("client=C:\Program Files\IBM\Informix\Connect\lib\client\csm\igsss11a.dll", "", "c=1,i=1")
    • run setnet32 and describe server like on my screenshot, don’t forget specify options: s=7,csm=(GSSCSM)
    • test using ilogin or define ODBC source; leave username and password fields empty

To check AD accounts from Unix or debug Kerberos and SSO use the following tools:

  • klist, ldapsearch, ldaplist, getent
  • krb-diag

share and enjoy:
  • Twitter
  • Google Buzz
  • Facebook
  • LinkedIn
  • Digg
  • del.icio.us
  • Technorati
  • StumbleUpon
  • email
tags: , , ,
No comment?
February 12, 2010 4:48 pm

Enabling Informix PAM authentication

no comments
by Serge    in informix

Some text from Wikipedia for introduction:

pluggable authentication modules, or PAM, is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independently of the underlying authentication scheme.

In my case the idea was to let users, who have accounts in the MS AD, log on to Informix Dynamic Server using their AD username and password.

Your OS must be ready to use PAM and Kerberos, configured like in this example for Solaris and MS AD.

So, lets start:

  1. Better to limit number of enctypes for Kerberos, especially if KDC is Windows 2008 R2.
    To do that, add the flowing rows in the /etc/krb5/krb5.conf:
    [libdefaults]
    default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
    default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
    default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
    default_etypes_des = des-cbc-crc
  2. To define Informix for PAM, add its name to /etc/pam.conf, I will name it ids_pam_service:
    ids_pam_service auth sufficient pam_krb5.so.1
    ids_pam_service auth sufficient pam_unix_auth.so.1
    First line for Kerberos authentication, second to allow local users (defined in passwd) to login through pam-enabled Informix alias.
  3. Configure one or many Informix aliases to enable PAM. Do that in sqlhosts file:
    <alias_name>           ontlitcp        <host_name>      <service_name>    s=4,pam_serv=(ids_pam_service),pamauth=(password)
    like in my example:
    onpam           ontlitcp        serv-inf01      1526    s=4,pam_serv=(ids_pam_service),pamauth=(password)

After Informix restart, PAM authentication will be enabled. Clients will be prompted to enter their local or AD credentials to connect.

If it doesn’t work, you can debug PAM, just touch /etc/pam_debug file and put auth.debug string in the /etc/syslog.conf file:
auth.debug /var/adm/dmessages
Keep in mind that spaces not allowed in syslog.conf, only tabs, and syslog daemon restart is required.

Main disadvantage of PAM is that due to limits of the PAM API, it is not possible for a PAM module to request a Kerberos service ticket from a Kerberos Key Distribution Center (KDC), allowing the user to utilize the application without re-authenticating. pam_krb5 only fetches ticket granting tickets, which involves prompting the user for credentials and are only used for initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos, as pam_krb5 cannot itself get service tickets.

I will describe how to configure Informix for Kerberos and Single Sign-On (SSO) authentication in the next post.

Update: each account in AD must have the following attributes specified: uid, uidNumber, gidNumber, unixHomeDirectory, loginShell. The easiest way to do that is using ADSI Edit snap-in for MMC.


share and enjoy:
  • Twitter
  • Google Buzz
  • Facebook
  • LinkedIn
  • Digg
  • del.icio.us
  • Technorati
  • StumbleUpon
  • email
tags: , ,
No comment?
February 9, 2010 9:55 pm

Configuring HermesJMS for TIBCO EMS

11 comments
by Serge    in EMS

HermesJMS provides a GUI to access JMS queues and topics for common tasks such as sending messages, removing messages and copying messages between queues and topics. It’s one of some “must have” tools for EMS admins and application support team.

Get the latest installer from SourceForge: http://sourceforge.net/projects/hermesjms/files/ then run it:
java -jar hermes-installer.jar

Installation is very simple, just few screens: release notes, license agreement, installation path, components (here is only one actually), summary, files copying, shortcuts creation and installation finish.

To start HermesJMS run hermes.bat in your <installation_folder>\HermesJMS\bin. If you got error message “cannot find \bin\javaw”, make sure that you have JAVA_HOME system variable defined to your jre folder.

When Hermes started successfully, click on “Create new JMS session” button, preferences window will appear, select providers tab and right-clik on free space. Then press “Add Group” and enter group name. Right-click on “Library” and press “Add JAR(s)”. Look in <tibco_home>\ems\5.1\lib folder and select all .jar files there. Click “Open”, then let Hermes to scan jars for factories: press “Scan” button. Then press “Apply”. All libraries will be in the list like on my screenshot.

Go to “Sessions” tab and enter name for session: “My EMS” for example, then select “EMS” loader. Next step is select “com.tibco.tibjms. TibjmsConnectionFactory” class and “Tibco EMS” plugin. Order is very important: select loader, then class, then plugin. Right-click on free space in plugin section and press “Add property”. You have to enter all three properties: username, password and serverURL, do the same for Connection Factory, then press “OK” to save and close properties window.

Now we can connect Hermes to our EMS. Let it discover queues and topics, press “Discover queues and topics from the provider” button. Then confirm replacement of the current set of destinations and list will be updated. That’s all.

If you need more information: HermesJMS home.


share and enjoy:
  • Twitter
  • Google Buzz
  • Facebook
  • LinkedIn
  • Digg
  • del.icio.us
  • Technorati
  • StumbleUpon
  • email
tags: , ,
11 comments!
February 6, 2010 9:36 pm

TIBCO Rendezvous undocumented profiling feature

2 comments
by Serge    in rendezvous

If you experience out of memory issues, or just want to debug function invocations or check consuming memory by Rendezvous daemon internals, you can enable undocumented profiling feature. You need go to http://rvd_host:7580/profiling URL. On the page select the desired check-boxes and then press submit.

Daemons profiling data will be in the log, you can view it on the screen, however better to start rvd or rvrd with log parameters -logfile c:\logs\rvd.log -log-max-size 1024 -log-max-rotations 5 and look at the log files.


share and enjoy:
  • Twitter
  • Google Buzz
  • Facebook
  • LinkedIn
  • Digg
  • del.icio.us
  • Technorati
  • StumbleUpon
  • email
tags: , ,
2 comments!
February 3, 2010 10:27 pm

Connecting from TIBCO to MS SQL using Windows Authentication

no comments
by Serge    in BusinessWorks

Yes, it is possible. We can connect from BusinessWorks applications to MS SQL database using Windows authentication. Even more, we can run TIBCO Domain and store all data in MS SQL instance, where only Windows authentication enabled. Do it simply.

Get the latest version of Microsoft SQL Server JDBC Driver from microsoft.com site. Unzip it. Then:

  • copy sqljdbc.jar to <tibco_home>\tpcl\5.6\jdbc
  • copy \auth\x86\sqljdbc_auth.dll to C:\WINDOWS\SysWOW64 (or to C:\WINDOWS\System32 on 32bit system) and to <tibco_home>\tra\5.6\bin

Configure your BW-application to use appropriate driver and connection string:
JDBC_Driver: com.microsoft.sqlserver.jdbc.SQLServerDriver
URL: jdbc:sqlserver://<server_name>;
instanceName=<instance>;
databaseName=<database>;
integratedSecurity=true;

The process must be started under Windows domain user who has the database rights. To do that just start domain Hawk Agent service under this user (should be in local admins or has appropriate permissions). Then all BW-applications on this particular machine, started by TIBCO Administrator or using appmanage tool, will also run under this user and can connect to MS SQL database using Windows authentication.

If you would like to create TIBCO Domain and use MS SQL Win auth only instance to store the data, you can use the same JDBC driver and URL. All you need is just run TIBCO Administrator and Hawk Agents in the TIBCO domain under Win domain user who has the database rights.


share and enjoy:
  • Twitter
  • Google Buzz
  • Facebook
  • LinkedIn
  • Digg
  • del.icio.us
  • Technorati
  • StumbleUpon
  • email
tags: , , , , ,
No comment?
February 1, 2010 10:04 pm

TIBCO Hawk microagent and eventlog.out file growing

no comments
by Serge    in hawk

We recently encountered a situation when the hawk\bin\eventlog.out file grew, until it ran out of disk space. This is a known bug: we can’t configure or disable eventlog.out file even if we don’t use Windows event logs monitoring microagent rules.

This has been fixed in Hawk 4.8.1 Hotfix 3:

1-83ZKPM
In the Eventlog microagent, the logging events in the eventlog.out
file kept growing and could not be turned off. This has been fixed.

You can download this or latest hotfix from the TIBCO support ftp server as Hawk hotfixes are cumulative.
To install stop all Hawk services, then just copy these files from the hotfix archive and replace the ones that already exist:

  • /hawk/bin/tibhawkhma.exe
  • /hawk/lib/agent.jar
  • /hawk/lib/console.jar

If you run 64bit Hawk, take /hawk/bin/tibhawkhma64.exe from archive and save it as /hawk/bin/tibhawkhma.exe

By the way, some other important things were fixed in the Hawk 4.8.1 Hotfix 3 and Hotfix 4, so please keep your Hawk agents updated.


share and enjoy:
  • Twitter
  • Google Buzz
  • Facebook
  • LinkedIn
  • Digg
  • del.icio.us
  • Technorati
  • StumbleUpon
  • email
tags: , , , ,
No comment?