How to decode WAS password
Run the following command on the server where WAS is installed. Search for the ws_runtime.jar on your system to get the correct path for your version of WAS.
java -classpath <WASHOME>/deploytool/itp/plugins/com.ibm.websphere.v61_6.1.200/ws_runtime.jar com.ibm.ws.security.util.PasswordDecoder "<password starting with {xor}>"
For WAS 7 and BPM you might also need other libs in your CLASSPATH:
WAS_ROOT=/software/ems/bpm/WebSphere/AppServer
WAS_JARS_DIR=$WAS_ROOT/deploytool/itp/plugins/com.ibm.websphere.v7_7.0.1.v20101015_1536/wasJars
SEC_JARS=securityimpl.jar:wssec.jar:crypto.jar:bootstrap.jar:ras.jar:wsexception.jar:com.ibm.ws.emf.jar:org.eclipse.emf.ecore.jar:org.eclipse.emf.common.jar
cd $WAS_JARS_DIR
$WAS_ROOT/java/bin/java -cp $SEC_JARS com.ibm.ws.security.util.PasswordDecoder "{xor}LDo8LTor"
For encoding the password you can run the following
$WAS_ROOT/java/bin/java -cp $SEC_JARS com.ibm.ws.security.util.PasswordEncoder secret
How to enable WAS performance monitoring
Enable PMI in the administrative console.
- In the administrative console, click Monitoring and Tuning > Performance Monitoring Infrastructure > server_name.
- Verify that Enable Performance Monitoring Infrastructure (PMI) is selected. This setting is enabled by default. If the setting is not enabled, select the check box, pick the amount of the stats you want to pull (basic,extended and all) then restart the server.
You could also do it with the JACL wsadmin script:
set s1 [$AdminConfig getid /Cell:CELL_NAME/Node:NODE_NAME/Server:APPLICATION_SERVER_NAME/] set pmi [$AdminConfig list PMIService $s1] $AdminConfig show $pmi. $AdminConfig modify $pmi {{enable true}} $AdminConfig save
If you need to enable PMI, restart the server.
Now you can use a script like this to list all active MBeans that have a stats component
perfOName = AdminControl.makeObjectName(AdminControl.completeObjectName('type=Perf,*')) for a in AdminControl.queryNames('*').split('\n'): #type=ConnectionPool, try: config=AdminControl.invoke_jmx(perfOName, 'getConfig', [AdminControl.makeObjectName(a)], ['javax.management.ObjectName']) #com.ibm.websphere.pmi.PmiModuleConfig if config is not None: print a except: pass
How to trigger a heap dump in a running WebSphere instance
Start wsadmin on the instance. Run
set jvmname [$AdminControl queryNames WebSphere:type=JVM,process=server1,node=SERVERNode01,*]
Use the proper node name. You should get a reply, something like this:
WebSphere:name=JVM,process=server1,platform=proxy,node=SERVERNode01,j2eeType=JVM,J2EEServer=server1,version=7.0.0.13,type=JVM,mbeanIdentifier=JVM,cell=SERVERNode01Cell,spec=1.0
To dump threads run
$AdminControl invoke $jvmname dumpThreads
This will create a javacore.YYYMMDD.HHMMSS.mmmm.nnnnn.txt file in the profiles\AppSrv01 (root) folder. To dump the heap (memory) run
$AdminControl invoke $jvmname generateHeapDump
It should generate a heapdump.YYYMMDD.HHMMSS.mmmm.nnnnn.phd file and report it's location back to you. It should be in the root folder as well.
How to configure permanent mapping of users/groups to roles in a webapp
In the EAR container create ibm-application-bnd.xmi with the similar contents:
<?xml version="1.0" encoding="UTF-8"?> <applicationbnd:ApplicationBinding xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:applicationbnd="applicationbnd.xmi" xmlns:common="common.xmi" xmlns:application="application.xmi" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmi:id="Application_ID_Bnd"> <appName xsi:nil="true"/> <authorizationTable xmi:id="AuthorizationTable_1"> <authorizations xmi:id="RoleAssignment_1"> <specialSubjects xmi:type="applicationbnd:AllAuthenticatedUsers" xmi:id="AllAuthenticatedUsers_1" name="AllAuthenticatedUsers"/> <role href="META-INF/application.xml#SecurityRole_1"/> </authorizations> </authorizationTable> <application href="META-INF/application.xml#Application_ID"/> <runAsMap xmi:id="RunAsMap_1"/> </applicationbnd:ApplicationBinding>
How to configure WebSphere to authenticate against AD
- Login to the WAS admin https://was.corp.dom:9043/ibm/console/ as an existing admin
- Click on Security -> Global security
- Choose standalone ldap registry in the pull down window for ‘Available realm definitions’ then click configure…
- Put in the following parameters:
- Primary administrative user name: adminid_from_AD
- Type of LDAP server: Microsoft Active Directory
- Host: primary_domain_controller.corp.dom
- Base dn: dc=corp,dc=dom
- Bind dn: cn=adminid_from_AD,ou=users,dc=corp,dc=dom
- Enter password
- Hit test to test the connect and then ok.
- At the top hit save.
- Go to Administrative group roles, hit add, change the search string to the name of the group that will be WAS admins and click add, then save.
- Change the “federated directories” to the “standalone ldap registry” in the “available real definitions” drop-box. Click “set as current”
- Check “enable application security” under Application Security
- Click apply and then save
- Reinstall the Websphere service. On the WAS Server run the following in the command prompt (correct names as appropriate):
F:\IBM\WebSphere\AppServer\bin\WASService.exe -remove WASNode01 F:\IBM\WebSphere\AppServer\bin\WASService.exe -add WASNode01 -servername server1 -profilepath "...\WebSphere\AppServer\profiles\AppSrv01" -configroot "...\WebSphere\AppServer\profiles\AppSrv01\config" -logroot "...\WebSphere\AppServer\profiles\AppSrv01\logs\server1" -logFile "...\WebSphere\AppServer\profiles\AppSrv01\logs\server1\WASNode01 Service.log" -washome "...\WebSphere\AppServer" -restart false -stopArgs "-username adminid_from_AD -password passwordhere " -starttype automatic –encodeparams
- Restart WAS.
- First stop it and try to access it. Make sure that it can not be accessed on the admin console
- If it is still up, login onto the WAS server, start the command prompt and stop WebSphere using following command:
...\websphere\appserver\profiles\appsrv01\bin\stopserver.bat server1
- Provide proper admin credentials
- Start WAS back up
- Verify that you can login as yourself to the WebSphere admin console
How to change session expiration
- in WAS admin console (:9090/admin) clck applications->enterprise applications->enRole->Session Management->Session Timeout)
- Restart enRole
- Also you need to change the web.xmls
Session-Timeout (how long it takes for the system to take you back to the logon screen):
File line --------- ------------------------------------------------- web.xml: 10
- Ok, first we need to find the correct web.xml file - and there are a number of them.
set was_home=C:\Progra~1\WebSphere dir %was_home%\AppServer\installedApps\web.xml /b /s>one &findstr /i /c:enrole one C:\Progra~1\WebSphere\AppServer\installedApps\appname\enRole.ear\app_web.war\WEB-INF\web.xml C:\Progra~1\WebSphere\AppServer\installedApps\appname\enRole.ear\passwordsynch_web.war\WEB-INF\we C:\>notepad C:\Progra~1\WebSphere\AppServer\installedApps\appname\enRole.ear\app_web.war\WEB-INF\web.xml
How to change the ports for the WebSphere Application Server - Express
The embedded version of WebSphere Application Server - Express uses four default port settings:
Http Transport (port 1): 9080 Http Transport (port 2): 9443 Bootstrap/rmi port: 2809 Soap connector port: 8880 Http Transport port 1
- Find the line containing the port number 9080 in the following files and replace the 9080 with the port number that you want:
$WASHOME\config\cells\DefaultNode\nodes\DefaultNode\servers\server1\server.xml $WASHOME\config\cells\DefaultNode\virtualhosts.xml Http Transport port 2
- Find the line containing the port number 9443 in the following files and replace the 9443 with the port number that you want:
$WASHOME\config\cells\DefaultNode\nodes\DefaultNode\servers\server1\server.xml $WASHOME\config\cells\DefaultNode\virtualhosts.xml * Bootstrap/rmi port
Find the line containing the port number 2809 in the following file and replace the 2809 with the port number that you want:
$WASHOME\config\cells\DefaultNode\nodes\DefaultNode\serverindex.html
- Soap connector port
Find the line containing the port number 8880 in the following file and replace the 8880 with the port number that you want:
$WASHOME\config\cells\DefaultNode\nodes\DefaultNode\serverindex.html
How to change IP for the WebSphere Application Server - Express to listen on
Same procedure as the one for changing a port, but change "host" instead of "port". Use comma to put both short and FQDN.
How to check WAS version
/opt/IBM/WebSphere/AppServer/bin/versionInfo.sh
How to configure WAS for SSL
- Restart server1
- Goto WPS server WAS admin interface: http://server:9090/admin
- Login as wpsbind
Environment->virutal hosts->default_host->host aliases->new
name * port 443
- Ok->save->save. Click update web server plug-in -> ok
- Copy Y:\WebSphere\AppServer\config\cells\plugin-cfg.xml X:\WebSphere\AppServer\config\cells\
where y is on was server and x is on ihs server
- Restart server1 on WPS server
- Test by going to http://server/snoop and https://server/snoop
How to configure WAS or WPS to start as a service
WASService -add server2 -servername server2 -wasHome "D:\Program Files\WebSphere\AppServer" -logfile "D:\Program Files\WebSphere\AppServer\logs\server2\startServer.log" -logRoot "D:\Program Files\WebSphere\AppServer\logs\server2" -restart true
See [1]
How to delete a WAS 6.x profile
E:\WebSphere\AppServer\bin>wasprofile.bat -unaugment -profileName AppSrv01 INSTCONFSUCCESS: Profile unaugmentation succeeded. E:\WebSphere\AppServer\bin>wasprofile.bat -delete -profileName AppSrv01 INSTCONFSUCCESS: Success: The profile no longer exists.
How to enable and Disable WAS Tracing for Security Components
It is recommended to enable this feature until you are satisfied that everything is working correctly. The page is accessed through WAS Administrative console. Go to Troubleshooting->Logs and trace. Select the server you want to trace (another way is Servers->Application Servers. Select the server you want to trace. Click on Logging and Tracing Properties). Click on Diagnostic Trace Service In the Trace Specification text box change to:
com.ibm.ws.security.*=all=enabled
Or
*=all=disabled
Click Apply for the changes to take affect. The trace.log file will appear in the log/<server name> directory under the WAS installation path.
How to get a dump of the hung threads in WAS
goto WAS_HOME\bin run wsadmin Type:
$AdminControl invoke [$AdminControl completeObjectName type=JVM,process=MY_JVM_NAME_HERE,*] dumpThreads
How to restart WAS (App Server)
when bouncing WAS service does not work
D:\WebSphere\AppServer\bin\stopServer server1 -username wpsbind -password **** D:\WebSphere\AppServer\bin\startServer server1 -username wpsbind -password ****
How to update a WebSphere IHS plugin
WebSphere\AppServer\bin\GenPluginCfg.sh
or through WAS admin console -> Environment -> Update WebServerPlugin Then physically move the file on the IHS server
copy Y:\WebSphere\AppServer\config\cells\plugin-cfg.xml X:\WebSphere\AppServer\config\cells\
How to version verification command for WAS6 and WAS5.1
- WAS6.0:
bin\versionInfo.bat -maintenancePackages
- WAS5.1:
bin\versionInfo.bat -fixes
How to clear WAS JSP or JIT compiler cache
Helpful in situations like this one:
Error 404: SRVE0202E: Servlet [/jsp/logon/LogonLayout.jsp]: org.apache.jsp._LogonLayout was found, but is corrupt: SRVE0227I: 1. Check that the class resides in the proper package directory. SRVE0228I: 2. Check that the classname has been defined in the server using the proper case and fully qualified package. SRVE0229I: 3. Check that the class was transferred to the filesystem using a binary transfer mode. SRVE0230I: 4. Check that the class was compiled using the proper case (as defined in the class definition). SRVE0231E: 5. Check that the class file was not renamed after it was compiled.
Clear
"A:\Program Files\ibm\WebSphere\AppServer\profiles\AppSrv01\temp\ADNode01\server1"
How to disable WAS security
wsadmin -conttype NONE securityoff
If it fails backup security.xml file, change the very first enabled=”true” to enabled=”false” and restart the servers
