VITECH INTERVIEW QUESTION ON WEBLOGIC

Vitech company has conducted as practical session for first round on Web Logic :

First Round:

1. Configure node manager security and how to start the nodemanager
2. How to start admin server and to check in the browser and to see admin console?
3. How to change admin password with admin console?
4.How to generate thread dump and heap dump in the weblogic?
5.How to generate ssl certificate in the weblogic?
6. To create the cluster and assign MS1,MS2  manager server to cluster and restart the clusters?
7.Deploy the application on manager and cluster and to check the application status in the browser?
and generate plan.xml

Second Round:

Tell me about your self and explain your professional experience?

1. What is diffenece between the unicata and multicast?
2. How to set up production enviormet in the weblogic?
3. How many manage server are required for each domain?
4.How many domain are created for 100 application ?
5.How to take back up of domain and create domain configuration?
6. How to generate the admin password ?how to change admin password with admin console?
is the node manage .prop (admin user id /password ) as admin server login console?
7.How to set up multiple database in your environment?
8.If the application was down and how to resolve the issue?
9.How to resolve issues if you are getting 404/500 /503 error ?
10.What is difference between the development and production environment?

Usefull Commands for WAS

1. ps -ef|grep java
2. ps -ef|grep -i   <server name>
3. ps -ef|grep -i  dmgr
4. ps -ef|grep  nodeagent*
5. find . -name <file name>
6. free -m
7. df -k ./
8. du -sk   or du -sm  or du -sk |sort -an |grep -i top or head   or du -sk *
9. grep -i  "e-business "  systemout.log
10.top --LINX   & topas --AIX
11. /usr/ucp/ps -auxww|grep  <java> or <server1>
12. tail -f   or cat or head   <systemout.log>
13. scp <file name>  <location>
14. scp <filename> remote host name  user id @password : <location>
15. ls -rlt or ls  of |grep
16. fdisk -h
17.vmstat
18. df -k swap
20. nmon
21. cp file name <where  u want to place or location>
22. mv file1 file2
23. rm -fr *.* or rmdir filename  or rm file1 file 2 ...etc
24.  if u want nullfy the log file size more then 500MB:   > filename or dev/null logname
25. kill -9 <pid > or kill -3 <running app server pid > (thread dump or heap dump)
26. tar -xvf  file.tar.gz or tar -zvxf  file.tar.gz or unzip file.tar.gz then use the extract command
27. uname -an  or /proc/info ----to check the Linux version
28. netstat -an|grep  <port number>
29. telnet servername : portnumber
30 . nslookup www.google.com or ping <ip address>

Tools for WAS

1. Classloader Analyzer

The Classloader Analyzer offers these features:

• Calculation of the number of classloaders, classes, and loaded libraries

• Automatic detection of classloader leak suspects

• Suspect view with total number of classes and loaded classes

• Classloader and class tree view

• Classloader view with loaded classes

• Library tree view for classloaders

• Automatic detection of javacore and classloader trace

• Automatic detection of suspect classes loaded multiple times

• Jar and class tree view

2.Garbage Collection and Memory Visualizer

• Monitor and fine tune Java heap size and garbage collection performance

• Flag possible memory leaks

• Size the Java heap correctly

• Select the best garbage collection policy 

• Verbose GC logs

• -Xtgc output

• native memory logs (output from ps, svmon and perfmon)

3.HeapAnalyzerAnalyzing Java heap dumps to troubleshoot problems such as:

• Memory leaks

• Excessive heap usage

Description: IBM HeapAnalyzer analyzes Java heap dumps and produces a summary report identifying leak suspects and showing statistics about the heap such as number of objects, number of references, number of classes, heap size and so on. It then lets you search and visually inspect the heap with graphical and tabular views.

4.Memory AnalyzerAnalyzing system dumps and Java heap dumps to help you:

• Troubleshoot memory leaks

• Understand the architecture of your Java application through footprint analysis

• Improve performance by tuning memory footprint and optimizing Java collections and cache usage

• Customize analysis with additional plug-ins and reports\

5. Thread and Monitor Dump Analyzer for JavaAnalyzing Java core files to help you identify threading problems such as:

• Hangs

• Deadlocks

• Resource contention

• Bottlenecks

Properties files for WAS

1.  client.policy
The client.policy file is a default policy file shared by all of the WebSphere client containers and applets on a node.

2.   client_types.xml
The client_types.xml file provides client type detection support for servlets extending PageListServlet. Using the configuration data in the client_types.xml file, servlets can determine the language type that calling clients require for the response.

3.    converter.properties
The converter.properties file is used by the Web container to map an unsupported character set to a supported character set.

4 .  encoding.properties
The encoding.properties file is used by the Web container to map the language identifier to a character set.. This file is used only if the Web container determines the locale for a request using the Accept-Language HTTP header.

5.  ffdcRun.properties
Properties file used to specify settings for the WebSphere Application Server - Express First Failure Data Capture (FFDC) diagnostic engine. This file should only be changed when working with IBM Service personnel to do problem determination.

6. ffdcStart.properties
Properties file used to specify settings for starting the WebSphere Application Server - Express First Failure Data Capture (FFDC) diagnostic engine. This file should only be changed when working with IBM Service personnel to do problem determination.

7.   ffdcStop.properties
Properties file used to specify settings for stopping the WebSphere Application Server - Express First Failure Data Capture (FFDC) diagnostic engine. This file should only be changed when working with IBM Service personnel to do problem determination.

8.   implfactory.properties
File for specifying implementation classes for WebSphere Application Server - Express runtime factories. This file should only be modified under the direction of IBM Service personnel.

9.    java.security
The java.security file is used to specify various security properties for use by the java.security classes. WebSphere Application Server - Express uses this file instead of the java.security file located in the /QIBM/ProdData/Java400/jdk13/lib/security directory. If you wish to add security properties for your WebSphere Application Server - Express instance, you should modify this file in the properties directory for your instance.

10.      jmx.properties
This is a configuration file that controls logging within the JMX environment. This file should only be modified under the direction of IBM Service personnel.

11.   samples.properties
This file provides a list of the samples that are installed on your application server.

12.  sas.client.props
The sas.client.props file contains the configuration settings for authentication between a Java client and a server.
13.   sas.server.props

In WebSphere Application Server versions 4.0 and earlier, this file contained configuration settings for all application servers in an instance. In WebSphere Application Server - Express, these properties are specified in the security.xml file. The sas.server.props file maps the values from previous versions to the XML values specified in the current version's security.xml file.

14.   sas.stdclient.properties
This file contains the default configuration settings for a secure Java client that requires a userid and password via standard input from the command line.

15.   sas.tools.properties
This file contains the default configuration settings for a secure Java client that requires a userid and password via standard input from the command line.

16.   server.policy
The server.policy file is a default policy file shared by all of the application servers on a node. The permissions in this file only pertain to the WebSphere Application Server - Express runtime code.

17.   soap.client.props
This file contains configuration settings for authentication between a SOAP client and a server.

18.   sslbitsizes.properties
This file contains properties associating SSL cipher suites to their bit sizes.

19.   TraceSettings.properties
The TraceSettings.properties file is used to specify trace settings for client applications.

20.   was.policy
Sometimes an application requires additional authentication information that is not specified in the app.policy file. The additional information is specified in the was.policy file.

21.   wsadmin.properties
Contains properties used by the wsadmin command line administration tool.

·

Administrative roles

Role	Description
Monitor	An individual or group that uses the monitor role has the least amount of privileges. A monitor can complete the following tasks:
	View the WebSphere Application Server configuration.
	View the current state of the Application Server.
Configurator	An individual or group that uses the configurator role has the monitor privilege plus the ability to change the WebSphere Application Server configuration. The configurator can perform all the daily configuration tasks. For example, a configurator can complete the following tasks:
	Create a resource.
	Map an application server.
	Install and uninstall an application.
	Deploy an application.
	Assign users and groups-to-role mapping for applications.
	Set up Java 2 security permissions for applications.
Operator	An individual or group that uses the operator role has monitor privileges plus ability to change the runtime state. For example, an operator can complete the following tasks:
	Stop and start the server.
	Monitor the server status in the administrative console.
Administrator	An individual or group that uses the administrator role has the operator and configurator privileges, plus additional privileges that are granted solely to the administrator role. For example, an administrator can complete the following tasks:
	Modify the server user ID and password.
	Configure authentication and authorization mechanisms.
	Enable or disable administrative security.
	Enable or disable Java 2 security.

WAS Interview Questions

WIPRO (Interview questions)

1. Tell me about self and present environment?                                                                     [IBM]

2. What is a WAS? Tell me installation process for WAS 6.x/7.x/8.x?                                  [IBM]

3. What is the location jacl files in WAS 6.x?

4. What is tool for to run scripts like JACL & JYTHON in WAS6.x?

5. How to set up & use window services in present environment?

6. How to check the disk space?

7.What is command to create tar bar ?

8. How to modify the response file.txt in apache?

9. Difference between 6.x & 7.x? tell me brief explanation?

10. Difference between the webserver and appservers?

11. Tell me installation process of Plug-in? Give me one example?                                       [IBM]

12. How many servers are running in present environments?

13.how to use and enable local users in LDAP?

14.Which file is given the security and how to do? Tell me brief explanation?

15.Tell process of JMS Configurations in WAS?

16.What is clusters? Types of clusters? How to set up it in present environment?

17.what is horizontal clusters? Tell me how set up in admin console in WAS?

18.Did u work for WAS 7.x?

19. What is installation process of 7.x and 8.x in WAS?

20.What is major advantages in WAS7.x and did u set in previous environements?

21.Which version is setup in present environment?

22.How ways are installed application profiles and give a example?

23.How install the profiles in dmgr? tell me command? Where do u this command?

24. Which port number is open the admin console? what is use?

25.What are types of  deploying application in the WAS?

IBM

1. What is a virtual host? Which port number is to open admin console?
2. Which version is used unix/liunx flavor at present environment?
3. Difference between the WAS 6.0 & 6.1?
4. Why IHS is used some organization and why u r not using in present environment?
5. How to create profile?
6. Tell me deployment ways?
7. Tell me about your current organization & how many servers are running?
8. How to do SSL in present environment? 
9. Tell me JMS Configurations?
10. Tell me about Node Group Configuration in WAS?
11. What is latest version of fix packs?
12. Where is the location of fix packs?
13. How to install fix packs or apply fix pack?
14. What are pre-require site for federation process?
15. What is heap dump? How to install heap dump?
16. What is default of heap dump?
17. What is a node agent?
18. What is PID?
19. What is port availability?
20. What are SSL , LDAP default port numbers?
21. What is a JDBC Connection provider? Types of JDBC?
22. What is a JVM? How to increase heap size?
23. What is a federation?
24. Tell me apache and JBOSS installation locations?
25. What ticketing tool used in present environment?

Real time issues :

1. What is the application status if the node was down or nodeagent was down?

2.We have 50 request coming from browser to webserver so what is weights of cluster ?

3. We are getting internal server error ?

4 we are getting 404.403,400 and how do you resolve that errors?

5.We are getting some error code in the system out.log .Please see the below error and how do you resolve the below issue:

"The plugin was already used  others.....etc"

6. What is status application server if the webserver was down?

7.We want to create multiple ip and dns, host ...etc  data so where we can update ?

8. We have 100 application in one production environment. But unfortunately all applications was down .So how to resolve that issue?

9. how to migrate was v6.1 to v7.0 ? but what steps are involved ?

503 - Servlet Temporarily Unavailable.

1. 503 - Servlet Temporarily Unavailable.
If the Servlet is destroyed or application is stopped when the
request is in service method for longer than 60sec, then the
servlet becomes  unavailable.
PROBLEM DESCRIPTION: Servlets return 503 return code after an application has been restarted.
RECOMMENDATION: When stopping an application, the WebContainer waits for any
active servlet requests to finish before destroying the associated servlet wrapper. If the WebContainer times out waiting for the service method to complete, it will destroy
the wrapper anyway and when the currently serviced request Finishes it will add the wrapper back to the cache.
 Conclusion
Updated the WebContainer to prevent servlet wrappers from being added for web applications that are being stopped. The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.19. Please refer to the Recommended Updates page for delivery information:
2. ERROR : During a rolling restart of the appservers, the server will respond to requests with a 503 "Service temporarily unavailable" response. When plugin receives a 503 response, it will retry the request to try to obtain a good response. If the request has affinity, it will go back to the same server thus resulting in a failure because the server is being restarted.
PROBLEM DESCRIPTION: When the server provides a 503          *
 response, if the request has affinity, all retries will go to the same server.
RECOMMENDATION:Requests are retried to the same server if the request has
affintiy and the server responds with a 503 reponse code.
Problem conclusion
A custom property has been added to allow for a failover to occur if the server responds with a 503. The property MarkBusyDown is set at Servers > Web Servers > Web_server_name > Plug-in properties > Custom propertie. If the value is true, then plugin will temporarily mark the server down to give it a chance to complete the restart. The duration of the markdown depends on the RetryInterval specified in the plugin configuration.

Apache Interview Questions & Answers

Q: – What is location of log files for Apache server ?
Ans- /var/log/httpd
Q: – What are the types of virtual hosts ?
Ans-
a. name-based
b. IP-based.
Name-based virtual host means that multiple names are running on each IP address.
IP-based virtual host means that a different IP address exists for each website served. Most configurations are named-based because it only requires one IP address.
Q: – Command to restart/start Apache web server ?
Ans- ./apachectl -k start/stop
Q: – Comamnd to check the version of Apache server ?
Ans- ./apachectl -version
Q: – What is meaning of “Listen” in httpd.conf file ?
Ans- Port number on which to listen for nonsecure (http) transfers.
Q: – What is Document Root ?
Ans- It is a location of files which are accessible by clients. By default, the Apache HTTP server in RedHat Enterprise Linux is configured to serve files from the /var/www/html/ directory.
Q: – Apache server works on which ports ?
Ans-
http – port 80
https – port 443
Q: – Tell me name of main configuration file of Apache server ?
Ans- httpd.conf
Q: – On which version of apache you have worked ?
Ans- httpd-2.2.3
Q: – What do you mean by a valid ServerName directive?
Ans- The DNS system is used to associate IP addresses with domain names. The value of ServerName is returned when the server generates a URL. If you are using a certain domain name, you must make sure that it is included in your DNS system and will be available to clients visiting your site.
Q: – What is the difference between a restart and a graceful restart of a web server ?
Ans- During a normal restart, the server is stopped and then started, causing some requests to be lost. A graceful restart allows Apache children to continue to serve their current requests until they can be replaced with children running the new configuration.
Q: – What is the use of mod_perl module ?
Ans- mod_perl scripting module to allow better Perl script performance and easy integration with the web server.
Q: – If you have added “loglevel Debug” in httpd.conf file, than what will happen ?
Ans- It will give you more information in the error log in order to debug a problem.
Q: – Is it possible to record the MAC (hardware) address of clients that access your server ?
Ans- No
Q: – If there is one IP address, than how to host two web sites on server ?
Ans- In this case I will use Name Based Virtual hosting.
ServerName 10.111.203.25
NameVirtualHost *:80

ServerName slim1.test.com
DocumentRoot /var/www/html/web1

ServerName slim2.test2.com
DocumentRoot /var/www/html/web2
Q: – Can I serve content out of a directory other than the DocumentRoot directory?
Ans- Yes. We can do it by using “Alias” command.
Q: – If you have to more than one URL map to the same directory but you don’t have multiple Alias directives. What you will do ?
Ans- In this case I will use “AliasMatch” directives.
The AliasMatch directive allows you to use regular expressions to match arbitrary patterns in URLs and map anything matching the pattern to the desired URL.
Q: – Can you record all the cookies sent to your server by clients in Web Server logs?
Ans- Yes, add following lines in httpd.conf file.
CustomLog logs/cookies_in.log “%{UNIQUE_ID}e %{Cookie}i” CustomLog logs/cookies2_in.log “%{UNIQUE_ID}e %{Cookie2}i”
Q: – Can we do automatically roll over the Apache logs at specific times without having to shut down and restart the server?
Ans- Yes
Use CustomLog and the rotatelogs programs
Add following line in httpd.conf file. CustomLog “| /path/to/rotatelogs /path/to/logs/access_log.%Y-%m-%d 86400″ combined
Q: – What we should do to find out how people are reaching your site ?
Ans- Add the following effect or to your activity log format. %{Referer}
Q: – How you will put a limit on uploads on your web server ?
Ans- This can be achieved by LimitRequestBody directive.

LimitRequestBody 100000
Here I have put limit of 100000 Bytes
Q: – I want to stop people using my site by Proxy server. Is it possible?
Ans-
Order Allow,Deny
Deny from all
Satisfy All
Q: – What is mod_evasive module?
Ans- mod_evasive is a third-party module that performs one simple task and performs it very well. It detects when your site is receiving a Denial of Service (DoS) attack and it prevents that attack from doing as much damage. mod_evasive detects when a single client is making multiple requests in a short period of time and denies further requests from that client. The period for which the ban is in place can be very short, because it just gets renewed the next time a request is detected from that same host.
Q: – Which tool you have used for Apache benchmarking?
Ans-
ab (Apache bench)
ab -n 1000 -c 10 http://www.test.com/test.html
Q: – Can we cache files which are viewed frequently?
Ans- Yes we can do it by using mod_file_cache module.
CacheFile /www/htdocs/index.html

To change hostname or ports in the WAS

Admin Console :

1. For the application server, select Servers > Application servers > application server > Ports
2.For the node agent, select System administration > Node agents >node agent > Ports
3.For the deployment manager, select System administration > Deployment manager > Ports

4.  If you changed the host names for the application server and node agent, update the node with the changes :
a: To stop Nodeagent & Application server
b: Sync the node
c: start the node agent and application server

5. If you changed the host names for the application server and node agent, update the node with the changes:
a:  Stop the node agent.     stopNode -profileName AppSrv01
b: Stop the node agent.
     stopNode -profileName AppSrv01
c: syncNode deployment_manager_host deployment_manager_Soap_port
d: Restart the node agent
e: Restart the application server

6. If you changed the host name for the deployment manager, restart the deployment manager to apply the changes

a: Stop the deployment manager.    stopManager -profileName DMgr01
b: Start the deployment manager.
    startManager -profileName DMgr01

Basic troubleshooting steps for WAS

1. Have an end-to-end view in WebSphere troubleshooting, from browser all the way to the backend system.
 2. First, test JVM to see if it is working. Make sure that the JVM is up and running and there is no hang thread. Turn on verbose GC and look into system log and native_std.log for JVM related error message.
 3. From the browser, to be if the URL is working. If the return code is 500 internal error, this may be a JVM or plugin issue. If the return code is 404 page not found error, it may well be a web server problem.
 4. Try to browse into the transport port of the web server and application server directly. If there URL works, then, you can exclude the web server and application server from the troubleshooting scope.
 5. Use “telnet server_name port_name”   to test network connectivity and server status or test other components of the system, for example MQ server with a port number of 1470.
 6. Look into the access log of the web server to see if any request has actually made to the web sever and not got stuck with the 3DNS or BIG IP. Also look into error logs to see if there are any plugin problems and SITEMINDER issues.
 7. If there is high CPU, usually it is bad application code.
 8. If there is high memory consumption, create heap dump with kill -3 helps. You can ship the dump to IBM for analysis if your work station does not have enough memory to run the Support Assistance suite of tools.
 9.  Check connection pool – a frequently seen problem is a bug in the JEE code that does not close the connection after using. This causes a connection leak. Use “telnet server_name 446″ to examine the network connectivity between the WebSphere Application Server and the backend systems. This will also tell you if the server is actually up and running. Sometimes, the piling up of connections is due to a connectivity issue. Use TPV, Introscope, or ITCAM to inspect the connection pool as well as examine system log for connection timeout.

10.monitor for all application server runtime level from performance tools  like IBM IST, DYNATRACE,TPV,Willyinterscope.

Types of Profiles in the WAS

Environment Type	Description
Cell	A cell environment creates two profiles; a management profile with a deployment manager (Dmgr) and an application server profile. The application server is federated to the cell of the deployment manager. These profiles will be created using the DMGR and Node (AppSrv) profiles.
Management	A management profile provides the server and services for managing multiple application server environments. The administrative agent manages application servers on the same machine. The Network Deployment edition also includes a deployment manager for tightly coupled management and a job manager for loosely coupled management of topologies distributed over multiple machines.
Application server	An application server environment runs your enterprise applications. WebSphere Application Server is managed from its own administrative consoles and functions independently from all other application servers.
Custom profile	A custom profile contains an empty node, which doesn't contain an administrative console or servers. The typical use for a custom profile is to federate its node to a deployment manager. After federating the node, use the deployment manager to create a server or a cluster of servers with the node or nodes. Custom profiles options also allows you to override default IBM naming conventions during the profile creation wizard process.

 

Creating a self-signed certificate

It usually takes two to three weeks to get a certificate from a well known certificate authority (CA). While waiting for a certificate to be issued, use IKEYMAN to create a self-signed server certificate to enable SSL sessions between clients and the server. Use this procedure if you act as your own CA for a private Web network.Procedure

1. If you have not created the key database,
2. Start the IKEYMAN user interface.
3. Click Key Database File from the main UI, and then click Open.
4. Enter your key database name in the Open dialog box, or click the key.kdb file, if you use the default. Click OK.
5. In the Password Prompt dialog box, enter your correct password and click OK.
6. Click Personal Certificates in the Key Database content frame, and click the New Self-Signed radio button.
7. Enter the following information in the Password Prompt dialog box:
   
   • Key label: Enter a descriptive comment to identify the key and certificate in the database.
   • Key size: Choose your level of encryptions from the drop-down menu.
   • Common Name: Enter the fully qualified host name of the Web server as the common name. Example: www.4uportal.com.
   • Organization Name: Enter your organization name.
   • Optional: GBS
   • Optional: HYDERABAD
   • Optional: TE
   • Optional: 500001
   • Country: Enter a country code. Specify at least two characters. Example: US Certificate request file name, or use the default name.
   • Validity Period
8. Click OK.

Importing and exporting keys

This article describes how to import and export your key into another database or to a PKCS12 file. PKCS12 is a standard for securely storing private keys and certificates.

About this task

To import and export keys from another database, complete the following steps:

Procedure

 

Import keys from another database by completing the following steps: 

• 1. Start the IKEYMAN user interface. Refer to Starting the Key Management utility for platform-specific instructions.
  2. Click Key Database File from the main UI, then click Open.
  3. Enter your key database name in the Password prompt dialog box, or click key.kdb if you are using the default.
  4. Enter your correct password in the Password prompt dialog box, and click OK.
  5. Click Personal Certificates in the Key Database content frame, then click Export/Import on the label.
  6. In the Export/Import Key window:
     
     1. Click Import Key.
     2. Click the target database type.
     3. Enter the file name, or use the Browse option.
     4. Enter the current location.
  7. Click OK.
  8. Click OK in the Password prompt dialog box, to import the selected key to another key database.
• Import keys to a PKCS12 file by completing the following steps:
  
  1. Enter ikeyman on a command line on the Linux or UNIX platforms, or start the Key Management utility in the IBM HTTP Server folder on the Windows operating system.
  2. Click Key Database File from the main UI, then click Open.
  3. Enter your key database name in the Open dialog box, or click key.kdb, if you use the default. Click OK.
  4. Enter your password in the Password prompt dialog box, and click OK.
  5. Click Personal Certificates in the Key Database content frame, then click Export/Import on the label.
  6. In the Export/Import Key window:
     
     1. Click Import Key.
     2. Click the PKCS12 database file type.
     3. Enter the file name, or use the Browse option.
     4. Enter the correct location.
  7. Click OK.
  8. Enter the correct password in the Password prompt dialog box, then click OK.
• Export keys from another database by completing the following steps:
  
  1. Start the IKEYMAN user interface.
  2. Click key database file from the main user interface, then click Open.
  3. Enter your key database name in the Password Prompt dialog box, or click key.kdb if you are using the default.
  4. Enter your correct password in the Password Prompt dialog box, and click OK.
  5. Click Personal Certificates in the Key database content frame, then click Export/Import on the label.
  6. In the Export/Import Key window:
     
     1. Click Export Key.
     2. Click the target database type.
     3. Enter the file name, or use the Browse option.
     4. Enter the current location.
• Export keys to a PKCS12 file by completing the following steps:
  
  1. Enter ikeyman on a command line on the Linux or UNIX platforms, or start the Key Management utility in the IBM HTTP Server folder on the Windows operating system.
  2. Click Key Database File from the main UI, then click Open.
  3. Enter your key database name in the Open dialog box, or click key.kdb if you use the default. Click OK.
  4. Enter your password in the Password Prompt dialog box, and click OK.
  5. Click Personal Certificates in the Key Database content frame, then click Export/Import on the label.
  6. In the Export/Import Key window:
     
     1. Click ExportKeyM.
     2. Click the PKCS12 database file type.
     3. Enter the file name, or use the Browse option.
     4. Enter the correct location.
  7. Click OK.
  8. Enter the correct password in the Password prompt dialog box, and enter the password again to confirm. Click OK to export the selected key to a PKCS12 file.

Configure SSL between the IBM HTTP Server Administration Server and the deployment manager

Configure Secure Sockets Layer (SSL) between the deployment manager for WebSphere^® Application Server and the IBM^® HTTP Server administration server, which is called adminctl.

About this task

Version 6.1 of Application Server has new SSL management functions that need to be managed properly in order for IBM HTTP Server to connect with an SSL request. In earlier releases, SSL connections used default dummy certificates that were exchanged between IBM HTTP Server and the Application Server. In WebSphere Application Server Version 6.1, you must configure the Application Server to accept a self-signed certificate from IBM HTTP Server so SSL connections are accepted and transactions are completed.

If the Application Server and the IBM HTTP Server administration server are not configured correctly, the Application Server shows any errors that are received in the log file for the deployment manager. In situations where the IBM HTTP Server administration server is attempting to connect through SSL and the Application Server is not configured, you might receive an error that is similar to the following message:

-CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with
SubjectDN "CN=localhost" was sent from target host:port "null:null".
The signer may need to be added to local trust store "c:/619/app2/profiles/Dmgr01/config/cells/rjrCell02/trust.p12" 
located in SSL configuration alias "CellDefaultSSLSettings"
 loaded from SSL configuration file "security.xml".  
The extended error message from the SSL handshake
 exception is: "No trusted certificate found".

-IOException javax.net.ssl.SSLHandshakeException: 
com.ibm.jsse2.util.h: No trusted certificate found

Procedure

1. Obtain a self-signed server certificate. You can generate a new self-signed certificate or use the existing certificate from the IBM HTTP Server Web server plugin.
   • Use the existing self-signed certificate from the IBM HTTP Server Web server plugin.
   • Create a CMS key database file and a self-signed server certificate. Use the iKeyman utility for distributed operating systems and the gskkyman tool for z/OS^® operating systems. This step and later steps will assume that you are using the iKeyman utility.
     • Use the IBM HTTP Server iKeyman utility graphical user interface or command line to create a CMS key database file and a self-signed server certificate.
       Use the iKeyman utility to create a self-signed certificate for the IBM HTTP Server Administration Server and save the certificate as /conf/admin.kdb.
       

       Best practice: Make note of the password and select Stash password to a file.bprac

       The following fields are required for the certificate:
       

       Label

       adminselfSigned

       Common Name

       fully_qualified_host_name

2. IBM HTTP Server uses the z/OS gskkyman tool for key management to create a CMS key database file, public and private key pairs, and self-signed certificates. Alternatively, you can create a SAF keyring in place of a CMS key database file.
   • For information on gskkyman, see Key management using the native z/OS key database.
   • For information on creating SAF keyrings, see Authenticating with SAF on IBM HTTP Server and SSL keyfile directive.
3. Extract the self-signed certificate to a file using iKeyman utility.
   1. Select the certificate that you created in Step 1. For example, adminselfSigned.
   2. Click Extract Certificate. The recommended file name for extraction is C:\Program Files\IBM\HTTPServer\conf\cert.arm.
      Avoid trouble: Do not change the data type.gotcha
4. Modify the Administration Server configuration File, which is named admin.conf.
   1. Configure the file to load the IBM SSL module. Uncomment the following line:

      LoadModule ibm_ssl_module     modules/mod_ibm_ssl.so

   2. Enable SSL and define a key file to use. Uncomment the following lines to enable SSL and define a key file to use:

      SSLEnable
      SSLServerCert default
      Keyfile "C:/Program Files/IBM/HTTPServer5/conf/admin.kdb"

      Avoid trouble: Be aware of the following:
      

      • The key file directive must match the name and location of a valid key file that is installed on your system.
      • You must have IBM SSL support installed for this to work.
      • The "default" in SSLServerCert is the label, or name, of the self-signed certificate that is created when the plugin-key.kdb file was created.
      • The previous example uses SSLServerCert because the default self-signed certificate in the plugin-key.kdb is not flagged as the default certificate.

      gotcha
5. Start the administration server for IBM HTTP Server. Verify that the log file does not contain GSKIT errors.
6. Configure WebSphere Application Server.
   1. Log into the Administrative Console for the Application Server and start the deployment manager.
   2. Select Security > SSL certificate and key management.
   3. Select Manage endpoint security configurations. You are directed to a list of inbound and outbound endpoints.
   4. Select the outbound cell (cellDefaultSSLSettings,null). Select outbound cells because, in this setup, the Administration Console for the Application Server is the client, and the IBM HTTP Server Administration Server is the server.
      Avoid trouble: This setup is the opposite configuration from an SSL setup with the IBM HTTP Server plugin and the Application Server.gotcha
   5. In the Related Items section, click Key stores and certificates.
   6. Click CellDefaultTrustStore.
   7. In the Additional Properties section, click Signer Certificates.
   8. FTP the certificate file to the Application Server. Do not change the data type.
   9. In the collection panel for Signer Certificates, click Add. Enter the following information in the fields.

      Table 1. Signer Certificate information

      Name	Value
      Alias	adminselfSigned
      File name	file_name For example, enter the following: c:\program files\ibm\httpserver\conf\cert.arm

   10. Save the configuration changes to the administrative console.
   11. Stop the deployment manager.
   12. Start the deployment manager.