Archive for the author ·

Serge

·...

Saving the contents of TIBCO Rendezvous binary messages

1 comment

Once a situation may arise when there is need to view or save the contents of TIBCO Rendezvous Active Enterprise binary messages. If you just get them using tibrvlisten, then messages appear like this:

message={_data_=[521 opaque bytes]}

I know that TIBCO Support experts have some tools to display and save these Rendezvous opaque bytes of AE messages, but my quick solution was to create small BusinessWorks process, which will do capture and store job. There are two activities: Rendezvous Subscriber and Write File. Rendezvous Subscriber will listen appropriate subject and has only one output complex element to represent message body. Write File has “write as binary” option and Rendezvous Subscriber’s output body is input for a file binary content. There is a formula error, but in this case it can be ignored. File name will form from Process ID to save each message in a separate file.

When this process are running, binary files will appear in the specified folder. One file per message. You can open it in your favorite binary editor/viewer and have fun!

How to use AppManage utility to stop and start BW applications

4 comments

AppManage utility can be used to create a BusinessWorks application using EAR file, export and import deployment configuration, deploy, undeploy, start, stop, delete an application. It can operate in batch mode. You can run AppManage utility on any machine in the TIBCO Domain. It is placed in /<tibco_home>/tra/<version>/bin/ folder. Log file will be in the domain log folder. I will show the most simple use of AppManage utility for stop and start one BW application. This can be used for scheduled restart, for example.

  • Prepare credentials file using obfuscate utility:
    > vi cred.txt
    user=admin
    pw=#!tibco

    > ./obfuscate cred.txt

    > cat cred.txt
    user=admin
    pw=#!L3myZM9vfgr/3GAEybDLLRzX9kcdAJxZ

  • Use AppManage to stop a deployed application:
    > ./AppManage -stop -app <application> -domain <domain> -cred cred.txt
  • Use AppManage to start a deployed application:
    > ./AppManage -start -app <application> -domain <domain> -cred cred.txt

<application> is “Application” in TIBCO Administrator, not “Service Instance”

The user, defined in the cred.txt file, mush have appropriate rights to start and stop an application. You can operate as “admin”, or better to define new user in TIBCO Administrator with write access rights.

How to trace BusinessWorks application

1 comment

You can set
Trace.Startup=true
Trace.Task.*=true
Trace.JC.*=true
Trace.Engine=true
Trace.Debug.*=true

in deployed tra file and then restart the application, run the process and until the errors appear again, then check detailed log file locates in the <install-path>\tibco\tra\domain\application\logs folder. Please keep in mind that all manual settings will be cleared after redeploy. To keep it permanent, set in bwengine.tra file in <install-path>\tibco\bw\<version>\bin folder.

Also possible to redirect the stdout and stderr output to any file. Please set in deployed cmd:
"/<install-path>/tibco/bw/<version>/bin/bwengine.exe" --run --propFile "/<install-path>/tibco/tra/domain/application/<application>.tra" > "/tmp/trace.out" 2>&1
then start this cmd from command shell.

You can also enable higher tracing to Hawk, set -tsm_tracelevel -1 in your <install-path>\tibco\tra\domain\<domain-name>\hawkagent.cfg and restart your Hawk Agent. The logs will be under <install-path>\tibco\tra\domain\<domain-name>\logs\tsm.log by default, you can define it using -tsm_traceLogFile parameter.

Deploy issue when running master and secondary TIB/Admin

no comments

TIBCO domain needs a repository where all service data are stored. This repository can be in xml files near TIBCO Administrator or it can be in a database. When you run both master and secondary servers of TIBCO Administrator, it is better to store repository in a database, because if it stored in files, both Administrator instances have to maintain its own copy of the repository. So, it could be a problem with syncing in some cases. When the copy of repository on the secondary server is out of sync, we can experience a problem with deploying and starting applications.

The errors seen in the admin log file:

2010 Feb 15 13:24:21:267 GMT +4 Error [ApplicationConfiguration] AESDKJ-0000 [http-8090-Processor11] COM.TIBCO.hawk.talon.MicroAgentException: Request timed out
2010 Feb 15 13:24:23:720 GMT +4 Error [Administrator] AESDKJ-0000 [http-8090-Processor11] ClientAbortException: java.net.SocketException: Connection reset by peer: socket write error

And in the tsm log files errors are similar to:

2010 Feb 15 13:23:10:335 GMT 4 tsm Debug [] [TRA-000000] tsm.syncBindings: probably admin server is not available. exception message: com.tibco.pof.entity.EntityStoreException: error creating client Server not responding
Caused by: com.tibco.infra.repository.OperationFailedException: error creating client Server not responding at com.tibco.infra.repository.RepoFactory.newClient(RepoFactory.java:3046)

Workaround is to stop secondary Administrator and deploy then. Solution is to stop secondary Administrator, remove all repository files on the secondary server, then copy repository files from the master. Usually all repository files in the <tibco_home>\administrator\domain\<domain_name>\data folder. Strategic decision – migration to a database storage.

By the way, when you plan a backup/restore solution, it makes sense to backup repository only on the master TIBCO Administrator, but in the case of recovery, restore it on both at the same time.

Enabling Informix SSO authentication

no comments

The idea was to let users, who have accounts in the MS AD, log on to Informix database running on Solaris without requiring to enter credentials again as they are already authenticated in the domain on their Windows workstations. So, we will configure Informix for Kerberos and Single Sign-On (SSO) authentication for Windows clients. This configuration can be called the logical conclusion of a previous configuration with PAM.

Informix box must be preconfigured and joined AD domain like in this my example for Solaris and MS AD. Installing the latest patches is strongly recommended as some related bugs were fixed recently in Solaris and Informix.

  1. On any Domain Controller:
    • create a service account in AD, one per server/alias
    • run setspn -A <sso_alias>/<informix_server>.domain.com@DOMAIN.COM <informix_server>
    • run ktpass -princ <sso_alias>/<informix_server>.domain.com@DOMAIN.COM -mapuser <serv_acc>@DOMAIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set -pass <serv_acc_password> -out my.keytab
    • upload generated keytab file to Informix server
  2. On the Informix box:
    • run ktutil and insert generated key to existing keys file:
      ktutil:  rkt /upload/my.keytab
      ktutil:  wkt /etc/krb5/krb5.keytab
      ktutil:  quit
    • run klist -e -k /etc/krb5/krb5.keytab to check keys file
    • create <informix_home>ids/etc/concsm.cfg file with one row like this:
      GSSCSM("/app/informix/ids/lib/csm/libixgss.so", "", "c=1,i=1")
    • add sso alias to Informix onconfig file
    • add sso alias to sqlhosts file:
      ssoalias         ontlitcp        hostname      1526   s=7,csm=(GSSCSM)
  3. On all Windows workstations:
    • latest version of IBM Informix-Connect must be installed
    • create concsm.cfg file in the C:\Program Files\IBM\Informix\Connect\etc folder with one row like this:
      GSSCSM("client=C:\Program Files\IBM\Informix\Connect\lib\client\csm\igsss11a.dll", "", "c=1,i=1")
    • run setnet32 and describe server like on my screenshot, don’t forget specify options: s=7,csm=(GSSCSM)
    • test using ilogin or define ODBC source; leave username and password fields empty

To check AD accounts from Unix or debug Kerberos and SSO use the following tools:

  • klist, ldapsearch, ldaplist, getent
  • krb-diag

Enabling Informix PAM authentication

1 comment

Some text from Wikipedia for introduction:

pluggable authentication modules, or PAM, is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independently of the underlying authentication scheme.

In my case the idea was to let users, who have accounts in the MS AD, log on to Informix Dynamic Server using their AD username and password.

Your OS must be ready to use PAM and Kerberos, configured like in this example for Solaris and MS AD.

So, lets start:

  1. Better to limit number of enctypes for Kerberos, especially if KDC is Windows 2008 R2.
    To do that, add the flowing rows in the /etc/krb5/krb5.conf:
    [libdefaults]
    default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
    default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
    default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
    default_etypes_des = des-cbc-crc
  2. To define Informix for PAM, add its name to /etc/pam.conf, I will name it ids_pam_service:
    ids_pam_service auth sufficient pam_krb5.so.1
    ids_pam_service auth sufficient pam_unix_auth.so.1

    First line for Kerberos authentication, second to allow local users (defined in passwd) to login through pam-enabled Informix alias.
  3. Configure one or many Informix aliases to enable PAM. Do that in sqlhosts file:
    <alias_name>           ontlitcp        <host_name>      <service_name>    s=4,pam_serv=(ids_pam_service),pamauth=(password)
    like in my example:
    onpam           ontlitcp        serv-inf01      1526    s=4,pam_serv=(ids_pam_service),pamauth=(password)

After Informix restart, PAM authentication will be enabled. Clients will be prompted to enter their local or AD credentials to connect.

If it doesn’t work, you can debug PAM, just touch /etc/pam_debug file and put auth.debug string in the /etc/syslog.conf file:
auth.debug /var/adm/dmessages
Keep in mind that spaces not allowed in syslog.conf, only tabs, and syslog daemon restart is required.

Main disadvantage of PAM is that due to limits of the PAM API, it is not possible for a PAM module to request a Kerberos service ticket from a Kerberos Key Distribution Center (KDC), allowing the user to utilize the application without re-authenticating. pam_krb5 only fetches ticket granting tickets, which involves prompting the user for credentials and are only used for initial login in an SSO environment. To fetch a service ticket for a particular application, and not prompt the user to enter credentials again, that application must be specifically coded to support Kerberos, as pam_krb5 cannot itself get service tickets.

I will describe how to configure Informix for Kerberos and Single Sign-On (SSO) authentication in the next post.

Update: each account in AD must have the following attributes specified: uid, uidNumber, gidNumber, unixHomeDirectory, loginShell. The easiest way to do that is using ADSI Edit snap-in for MMC.

Configuring HermesJMS for TIBCO EMS

29 comments

HermesJMS provides a GUI to access JMS queues and topics for common tasks such as sending messages, removing messages and copying messages between queues and topics. It’s one of some “must have” tools for EMS admins and application support team.

Get the latest installer from SourceForge: http://sourceforge.net/projects/hermesjms/files/ then run it:
java -jar hermes-installer.jar

Installation is very simple, just few screens: release notes, license agreement, installation path, components (here is only one actually), summary, files copying, shortcuts creation and installation finish.

To start HermesJMS run hermes.bat in your <installation_folder>\HermesJMS\bin. If you got error message “cannot find \bin\javaw”, make sure that you have JAVA_HOME system variable defined to your jre folder.

When Hermes started successfully, click on “Create new JMS session” button, preferences window will appear, select providers tab and right-clik on free space. Then press “Add Group” and enter group name. Right-click on “Library” and press “Add JAR(s)”. Look in <tibco_home>\ems\5.1\lib folder and select all .jar files there. Click “Open”, then let Hermes to scan jars for factories: press “Scan” button. Then press “Apply”. All libraries will be in the list like on my screenshot.

Go to “Sessions” tab and enter name for session: “My EMS” for example, then select “EMS” loader. Next step is select “com.tibco.tibjms. TibjmsConnectionFactory” class and “Tibco EMS” plugin. Order is very important: select loader, then class, then plugin. Right-click on free space in plugin section and press “Add property”. You have to enter all three properties: username, password and serverURL, do the same for Connection Factory, then press “OK” to save and close properties window.

Now we can connect Hermes to our EMS. Let it discover queues and topics, press “Discover queues and topics from the provider” button. Then confirm replacement of the current set of destinations and list will be updated. That’s all.

If you need more information: HermesJMS home.