7022859: Replacing SSL certificates on Windows server running GW18 WebAccess.

A key file for this configuration change is the server.xml located in C:NovellGroupWiseTomcatconf directory.

Using any text editor, you can find SSL configuration sections which you can enable or disable. In the GW18 version we use apache-tomcat combination to run WebAccess software. There are two ways how to secure WebAccess. By default a java/tomcat approach with the “.keystore” file located in the same directory is used. However, if you have corporate certificate and key file for web servers, you can disable java/tomcat security settings and start using web security part.

Find out a section like: <Certificate certificateKeystoreFile=”conf/.keystore” and comment out entire java/tomcat section. It shall look like example bellow:

<!–

<Connector port=”443″ protocol=”org.apache.coyote.http11.Http11NioProtocol”

maxThreads=”150″ SSLEnabled=”true” scheme=”https” secure=”true”>

<SSLHostConfig>

<Certificate certificateKeystoreFile=”conf/.keystore”

type=”RSA” />

</SSLHostConfig>

</Connector>

–>

Right below this tomcat/java secure section is a traditional web server section which you can enable and specify a key and the certificate files location, example bellow:

<Connector port=”443″ protocol=”org.apache.coyote.http11.Http11AprProtocol”

maxThreads=”150″ SSLEnabled=”true” >

<UpgradeProtocol className=”org.apache.coyote.http2.Http2Protocol” />

<SSLHostConfig>

<Certificate certificateKeyFile=”conf/<corp_private_key>.key”

certificateFile=”conf/<corporate_ssl_certificate>.cer”

type=”RSA” />

</SSLHostConfig>

</Connector>

In this example a corporate private key and a certificate file were copied into the conf directory. Once this is done, save changes and restart Apache Tomcat 8.5 Tomcat 8 service.

If this step does not work for you (there are complains over certificates in catalina log file once you start tomcat-apache service ), then other way to re-use existing certificates would be to import them into the “.keystore” file and use again java/tomcat section secure section.

You can import official certificates into the “.keystore” file by:

keytool -import -keyalg RSA -keystore <path to .keystore file> -trustcacerts -file <path to official cert file>

After those steps, you can restart Apache Tomcat 8.5 Tomcat 8 service to start using java/tomcat approach.

If nothing of above helps to get existing certificates for web working with this tomcat-apache combo, you will need to generate new CSR file and get certificates signed for your Windows server by the CA Authority where you purchased certificates before. Use preferably the “keytool” java utility to generate new CSR file and send it to the CA Authority asking to get certificates for securing java/tomcat.

Following is the command to generate new keystore and CSR files:

keytool -certreq -keyalg RSA -alias tomcat -file <certreq>.csr -keystore <path to new .keystore file>

Related:

Data Protection Advisor: After installation DPA Application service fails to start

Article Number: 517807 Article Version: 3 Article Type: Break Fix



Data Protection Advisor 6.4

After a successful NEW installation of DPA, you are unable log into the web interface.

Checking the DPA files on the DPA Application server in <DPA_install_directory>/application show that the files have the status of ‘.deployed’

When running the following command the output shows that the Application service is no longer running:

Windows: dpa app status

UNIX: ./dpa.sh app status

When reviewing the ‘server.log’ under <DPA_install_directory>/dpa/services/logs the following entries are visible:

ERROR [com.emc.apollo.scheduler.SchedulerService] (ServerService Thread Pool -- 235) Problems during scheduler initialization. Unable to bind scheduler 'DPAScheduler' to JNDI: org.quartz.SchedulerConfigException: Failure occured during job recovery. [See nested exception: org.quartz.JobPersistenceException: Couldn't recover jobs: ERROR: relation "apollo.quartz_triggers" does not existERROR [org.jboss.as.ejb3.invocation] (ServerService Thread Pool -- 225) JBAS014134: EJB Invocation failed on component SchedulerServiceBean for method public abstract java.util.Map com.emc.apollo.scheduler.SchedulerService.getAllJobsMap(): javax.ejb.EJBException: java.lang.NullPointerExceptionERROR [org.jboss.as.ejb3.invocation] (ServerService Thread Pool -- 225) JBAS014134: EJB Invocation failed on component SchedulerCommandsBean for method public abstract java.util.Map com.emc.apollo.command.scheduler.SchedulerCommands.getAllJobsMap(): javax.ejb.EJBTransactionRolledbackException: java.lang.NullPointerException 

The ‘apollo’ schema is missing or has been corrupted within the Datastore.

As this was a new installation, there is no risk of losing any historical data, so the schema can be recreated by running the following on the Datastore Server:

Windows:

dpa ds recreate

next

dpa ds createts

The database password will then need to be set using the ‘dpa ds dspassword‘ command.

To avoid the DPA Application nodes being unable to access the Datastore database this new database password will need to be set on the Application nodes.

Start the application service and reset the administrator’s password (Run ‘dpa application adminpassword‘ in the application node) in order to login to DPA.

UNIX:

cd to <DPA_install_directory>/application/services/bin

./dpa.sh ds recreate

next

./dpa.sh ds createts

The database password will then need to be set using the ‘./dpa.sh ds dspassword‘ command.

To avoid the DPA Application nodes being unable to access the Datastore database this new database password will need to be set on the Application nodes.

Start the application service and reset the administrator’s password (Run ‘dpa.sh./ application adminpassword‘ in the application node) in order to login to DPA.

Please contact EMC Technical Support for further details or assistance.

Related:

  • No Related Posts

Oracle & WebLogic licensing

I need a solution

Hello all,

I would like to know if AMS gathers data from Oracle servers and WebLogic implementations, and if so, what data does it obtain and how good is its license compliance concerning Oracle as they are quite complex?

Thanks in advance, SK. 

0

Related:

Unisphere for VMAX: Unable to launch Unisphere v8.4.0.4 on a RHEL 7.3 remote client.

Article Number: 501947 Article Version: 3 Article Type: Break Fix



Unisphere for VMAX 8.4.0

Fresh installation of SE 8.4.0 and Uni 8.4.0.4 – SMAS will not stay running past 10 seconds.

Errors within the deployer log during the domain-symm0.ear deployment attempt:

2017-06-28 17:57:35,653 INFO [com.emc.em.deployer.ServerManagerService] (EJB default - 1) ServerManagerService.getLine(): Caused by: javax.ejb.EJBException: java.lang.RuntimeException: javax.ejb.EJBException: java.lang.RuntimeException: SymInitialize failed with code 508 (SYMAPI_C_UNKNOWN_HOST)2017-06-28 17:57:35,653 INFO [com.emc.em.deployer.ServerManagerService] (EJB default - 1) ServerManagerService.getLine(): Caused by: java.lang.RuntimeException: javax.ejb.EJBException: java.lang.RuntimeException: SymInitialize failed with code 508 (SYMAPI_C_UNKNOWN_HOST)2017-06-28 17:57:35,654 INFO [com.emc.em.deployer.ServerManagerService] (EJB default - 1) ServerManagerService.getLine(): Caused by: javax.ejb.EJBException: java.lang.RuntimeException: SymInitialize failed with code 508 (SYMAPI_C_UNKNOWN_HOST)symapi log:ERROR [em.bp.SYMAPI] (ServerService Thread Pool -- 5) SymapiSession.getUserDataForAppReg:Failed to open session: SymInitialize failed with code 510 (SYMAPI_C_NET_CONN_REFUSED) 

Fresh installation on supported OS.

check the IP address in the SE NETCNFG file that the client points to.

During installing Unisphere, when specifying the remote server, you should also be pointing to this IP address.

Uninstall & reinstall if these IP addresses are different or incorrect.

This is an SE security setup issue. UNI cannot connect because of the following:

ERROR [em.bp.SYMAPI] (ServerService Thread Pool — 5) SymapiSession.getUserDataForAppReg:Failed to open session: SymInitialize failed with code 510 (SYMAPI_C_NET_CONN_REFUSED)

On the client SE OPTIONS file:

SYMAPI_SECURITY_LEVEL = SECURE

On the server SE OPTIONS file:

SYMAPI_SECURITY_LEVEL = NONSECURE

action plan:

Updated Options file to reflect NONSECURE on both sites

Restarted ‘storsrvd’ on SYMAPI server

Started ‘SMAS’ on remote client

Outcome:

[root@raz1rxespl1v /etc/init.d]# ./smas status

UNIVMAX is running (pid 23198)

[root@raz1rxespl1v /etc/init.d]# ./smas status

UNIVMAX is not running

The errors within the remote SMAS deployer log are now indicating the client/server issue mentioned (rather than UNKNOWN HOST we were seeing previously):

2017-07-10 12:33:30,379 INFO [com.emc.em.deployer.ServerManagerService] (EJB default - 1) ServerManagerService.getLine(): Caused by: javax.ejb.EJBException: java.lang.RuntimeException: SymInitialize failed with code 510 (SYMAPI_C_NET_CONN_REFUSED)2017-07-10 12:33:30,379 INFO [com.emc.em.deployer.ServerManagerService] (EJB default - 1) ServerManagerService.getLine(): Caused by: java.lang.RuntimeException: SymInitialize failed with code 510 (SYMAPI_C_NET_CONN_REFUSED)2017-07-10 12:33:30,379 INFO [com.emc.em.deployer.ServerManagerService] (EJB default - 1) ServerManagerService.getLine(): Caused by: SymInitialize failed with code 510 (SYMAPI_C_NET_CONN_REFUSED)"}}}}}}}}}}}}storsrvd on the SYMAPI server (AIX host) is now flooding with:<Error> [283115xx SESS 1113] Jul-10 15:36:37.184 pdsIpcSendMsg #3052 : Error during send, handle=0x0, nRc=700xxx1901 

Related:

  • No Related Posts

Apache Struts CVE-2018-11776

I need a solution

Can anyone confirm that the CEM Internet Gateways are not susceptible to the remote code exectution vulnerability reported in CVE-2018-11776?

Can it be confirmed if Apache Struts are used or not on the CEM Gateways?

thanks

0

Related:

7020292: How To Adjust the Tomcat Memory Settings on Linux


Adjusting the memory that tomcat uses on Linux is very easy. Follow these steps to adjust the amount of memory that tomcat will use.


1. Remote onto the Retain Server. Either do this with PuTTY or logging directly into the server.

2. Browse to /etc/opt/beginfinite/retain/tomcatx

Where “x” is the Tomcat version. In Retain 2.x, this would be tomcat5, in 3.x and 4.0-4.1 tomcat7, 4.2 and above tomcat8

3. Edit the file named j2ee.

4. Go to the section of the file that affects the memory settings (note: the actual current memory settings may likely vary on your system from what is shown in the following examples):

Retain 2.x and 3.x: Find the line MEMORY_HEAP=“-Xms2048M -Xmx2048m”

Retain 4.x: Find the line CATALINA_OPTS=“-Xms4g -Xmx6g -Xss256k”

5. Change the both the -Xms (minimum memory) and the -Xmx (maximum memory) values to the desired value.

It is recommended that they be set to the same value (see “Tomcat JVM – What You Need to Know“).

What you set this is largely determined by many variables, including how much RAM is on server, whether MySQL is running on the same server, whether there are Workers on the local server (and how many), etc. See “Retain Planning and Design Best Practices” for a more in-depth discussion.

6. Save the changes and restart tomcat.

Related:

Introduction and MDM Architecture

The MDM architecture is a three-tier model:



Database Server: Place where the business data and metadata resides. It is implemented on a DBMS – Oracle or DB2

Application Server: Manages security and access to the data. It is implemented on J2EE application server – Weblogic, Websphere, or JBOSS


UI Layer: Set of tools that allows users to configure the environment and perform data management activities.

mdm 1.png

Database Server Tier



Database server layer comprises of two types of schemas:

• Master Database: Contains MDM Hub environmental configuration settings

• Operation Record Store (ORS): Contains master data and content metadata

mdm2.png

Application Server Tier

• Supports data cleansing and matching activities

• Enables data access and exposes various data services as APIs

mdm3.png

Batch Process Flow

Overall batch process flow of data in Informatica MDM

MDM5.png

Hub Console

MDM Hub console is an UI for MDM specific administrative and configuration activities

mdm 4.png

This video help you to understand about the complete architecture of Informatica MDM

Related: