7/23/09

Collector Tool

Someone asked me how to run collector tool. IBM Doc says, run the tool not from APPSERVER_INST_PATH/bin, but run from working directory. What exactly is that?

The collector tool gathers information about your WebSphere Application Server installation and packages it in a Java archive (JAR) file that you can send to IBM Customer Support to assist in determining and analyzing your problem. Information in the JAR file includes logs, property files, configuration files, operating system and Java data, and the presence and level of each software prerequisite.

collector command - summary option

WebSphere Application Server products include an enhancement to the collector tool beginning with Version 5.0.2, known as the collector summary option.

The collector summary option helps you communicate with WebSphere Application Server technical staff at IBM Support. Run the collector tool with the -Summary option to produce a lightweight text file and console version of some of the information in the Java archive (JAR) file that the tool produces without the -Summary parameter. You can use the collector summary option to retrieve basic configuration and prerequisite software level information when starting a conversation with IBM Support.

The collector summary option produces version information for the WebSphere Application Server product and the operating system as well as other information. It stores the information in the Collector_Summary.txt file and writes it to the console. You can use the information to answer initial questions from IBM Support or you can send the Collector_Summary.txt file directly to IBM Support.

Collector tool collect key information including ffdc, configuration, logs, and so on and makes a jar file with all the information. So, depending on your configuration and all, jar file may occupy lot of space. So, IBM docs says that, create a folder out of appserver installation path.
Example,
mkdir /tmp/collector
cd /tmp/collector

Then run the script as needed
/appserver/instpath/profiles/profilename/bin/collector.sh
or
/appserver/instpath/profiles/profilename/bin/collector.sh -summery

Symbolic links

Sometimes, in the process of WebSphere, IHS Administration, it may require you to create symbolic links. This is the procedure.

ln is the command to create symbolic links.
$man ln
User Commands ln

NAME
ln - make hard or symbolic links to files

SYNOPSIS
/usr/bin/ln [-fns] source_file [target]

/usr/bin/ln [-fns] source_file... target

/usr/xpg4/bin/ln [-fs] source_file [target]

/usr/xpg4/bin/ln [-fs] source_file... target

DESCRIPTION
In the first synopsis form, the ln utility creates a new
directory entry (link) for the file specified by
source_file, at the destination path specified by target. If
target is not specified, the link is made in the current
directory. This first synopsis form is assumed when the
final operand does not name an existing directory; if more
than two operands are specified and the final is not an
existing directory, an error will result.

In the second synopsis form, the ln utility creates a new
directory entry for each file specified by a source_file
operand, at a destination path in the existing directory
named by target.
..............................


Example -
Developers wanted to have a look at SystemOut.log and SystemErr.log. They dont have uid on the box. So, I need to create a web link to this through HTTP Server.
I did like this.
I have created a document root called logs.
/logs
I created symbolic links to SystemOut.log and SystemErr.log like this
ln -s source destination
This creates a softlink *from* a file to a *file*
$ln -s /path/to/appserver/profiles/profilename/logs/servername/SystemOut.log SystemOut.log
$ln -s /path/to/appserver/profiles/profilename/logs/servername/SystemErr.log SystemErr.log
This created me two files SystemOut.log and SystemErr.log under /logs
if I ls -ltr on /logs, I get this list
SystemOut.log -> /path/to/appserver/profiles/profilename/logs/servername/SystemOut.log
SystemErr.log -> /path/to/appserver/profiles/profilename/logs/servername/SystemErr.log

Now, I have created a html file, say, index.html with hyperlinks like this -
Server Logs
< A HREF="SystemOut.log">SystemOut< / A>< br />
< A HREF="SystemErr.log">SystemErr< / A>

7/14/09

Enable Trace in Plugin-cfg.xml

WebServer Plugin writes a log, by default its named as http-plugin.log, by default placed under PLUGIN_HOME/logs/
Plugin writes Error messages into this log. The attribute which deals with this is
< Log > in the plugin-cfg.xml
Ex.,
< Log LogLevel="Error" Name="/usr/IBM/WebSphere/Plugins/logs/http_plugin.log" / >

According to above line all Error messages will be written into http-plugin.log.

How to enable trace in the plugin-cfg.xml? if that is the question, do like this -

< Log LogLevel="Trace" Name="/usr/IBM/WebSphere/Plugins/logs/http_plugin.log" / >

From the InfoCenter -
Plug-in Problem Determination Steps
The plug-in provides very readable tracing which can be beneficial in helping to figure out the problem. By setting the LogLevel attribute in the config/plugin-cfg.xml file to Trace, you can follow the request processing to see what is going wrong.
Note: If you are using a Veritas File System with large file support enabled, file sizes up to two terabytes are allowed. In this case, if you set the LogLevel attribute in the plugin-cfg.xml file to LogLevel=Trace, then the http_plugin.log file might grow quickly and consume all available space on your file system. Therefore, you should set the value of the LogLevel attribute to ERROR or DEBUG to prevent high CPU utilization.
At a high level, complete these steps.
The plug-in gets a request.
The plug-in checks the routes defined in the plugin-cfg.xml file.
It finds the server group.
It finds the server.
It picks the transport protocol, HTTP or HTTPS.
It sends the request.
It reads the response.
It writes it back to the client.


Here is the URL for Web server plug-in troubleshooting tips

Multiple Authentication Bypass Vulnerabilities within IBM WAS

Multiple Authentication Bypass Vulnerabilities within IBM WebSphere Application Server

OVERVIEW:
Two vulnerabilities in IBM WebSphere Application Server have recently been made public. IBM WebSphere Application Server is a software application server that uses web technologies and can be implemented on many common operating systems. Both vulnerabilities may allow malicious users to bypass authentication required to access a service running on the vulnerable server. Successful exploitation may allow attackers to gain unauthorized access to the service, which may lead to other attacks.

SYSTEMS AFFECTED:
The vulnerability identified by IBM in PK72138 (Bugtraq ID 35594):
* IBM WebSphere Application Server 7.0 1
* IBM WebSphere Application Server 6.1 23
* IBM WebSphere Application Server 6.1 22
* IBM WebSphere Application Server 6.1 21
* IBM WebSphere Application Server 6.1 20
* IBM WebSphere Application Server 6.1 19
* IBM WebSphere Application Server 6.1 18
* IBM WebSphere Application Server 6.1 17
* IBM WebSphere Application Server 6.1 15
* IBM WebSphere Application Server 6.1 13
* IBM WebSphere Application Server 6.1 12
* IBM WebSphere Application Server 6.1 10
* IBM WebSphere Application Server 6.1 .9
* IBM WebSphere Application Server 6.1 .7
* IBM WebSphere Application Server 6.1 .6
* IBM WebSphere Application Server 6.1 .5
* IBM WebSphere Application Server 6.1 .3
* IBM WebSphere Application Server 6.1 .2
* IBM WebSphere Application Server 6.1 .14
* IBM WebSphere Application Server 6.1 .1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 7.0

The vulnerability identified by IBM in PK75992 (Bugtraq ID 35610):
* IBM WebSphere Application Server 7.0 1
* IBM WebSphere Application Server 6.1 21
* IBM WebSphere Application Server 6.1 19
* IBM WebSphere Application Server 6.1 17
* IBM WebSphere Application Server 6.1 15
* IBM WebSphere Application Server 6.0.2 31
* IBM WebSphere Application Server 6.0.2 29
* IBM WebSphere Application Server 6.0.2 27
* IBM WebSphere Application Server 6.0.2 .25
* IBM WebSphere Application Server 7.0

RISK:
Government:
* Large and medium government entities: High
* Small government entities: High

Businesses:
* Large and medium business entities: High
* Small business entities: High

Home users: N/A

DESCRIPTION:
IBM has confirmed the existence of two vulnerabilities that may allow a remote attacker to bypass application server authentication. Exploiting these vulnerabilities could allow an attacker to access restricted services, which may then lead to other attacks. Both vulnerabilities are associated with WS-Security, which is the security implementation within the Java API for XML Web Services (JAX-WS).
The first vulnerability discovered within WS-Security, referenced and addressed by IBM in PK72138, can only be exploited when the security policy is implemented at the 'Operational Level'. When this policy is established, WS-Security does not properly handle inbound requests that lack a SOAPAction or WS-Addressing Action. An attacker can craft a malicious inbound request to exploit this vulnerability. Successful exploitation may allow attackers to bypass certain security restrictions, which may then lead to other attacks.
The second vulnerability, referenced and addressed by IBM in PK75992, arises in the way WS-Security validates the 'UsernameToken' object. It is possible for WS-Security to incorrectly validate these tokens, allowing a malicious user to bypass the authentication process. This may allow a malicious user to conduct further attacks.

RECOMMENDATIONS:
We recommend the following actions be taken:
* Apply appropriate patches provided by IBM to vulnerable systems immediately after appropriate testing.
* Deploy network intrusion detection systems to monitor network traffic for malicious activity.

REFERENCES:

IBM:
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D600&uid=swg21367223&loc=en_US&cs=UTF-8&lang=en&rss=ct180WebSphere

Security Focus:
http://www.securityfocus.com/bid/35594
http://www.securityfocus.com/bid/35610

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0903