Configuring Common Secure Interoperability Version 2 (CSIV2) - PCI Compliance

TL;DR

To enable CSIv2 for inbound and outbound launch the wsadmin tool with -lang jython and issue the following command:

AdminTask.configureCSIOutbound('[-transportLayer 'SSL-required']')
AdminTask.configureCSIInbound('[-transportLayer 'SSL-required' ]')
AdminConfig.save()

Using the console:

Set the inbound and outbound transports in the administrative console. Make sure that administrative security is enabled.

• WebSphere Application Server Version 7.0: Click Security > Global Security > RMI/IIOP Security > CSIv2 inbound [outbound[ communications. Change the transport type under the CSIv2 Transport Layer to SSL-Required.

Transport values:

TCP/IP
SSL-required
SSL-supported

CSIv2 stands for the Common Secure Interoperability Version 2 (CSIV2) and can be found in the inbound and outbound communication settings.

FIPS Compliance-Part III. enableFips using wsadmin and jython jacl

TL;DR

To enable FIPS140-2, launch the wsadmin tool with -lang jython and issue the following command:

AdminTask.enableFips("[-enableFips true -fipsLevel FIPS140-2]")

or use Jacl:

$AdminTask enableFips {-enableFips true -fipsLevel transition }

Result:

fipsLevel values:

FIPS140-2

transition

SP800-131

Details:

Or you can save even more time by scripting this. I wrote the following script to do the job for me (my actual script is longer as now it supports different fipsLevel values).

Example jython script:

import sys, java
def enableFIPS(fipsLevel):
  AdminTask.enableFips("[-enableFips true -fipsLevel FIPS140-2)
  AdminConfig.save()
def disableFIPS():
  AdminTask.enableFips("[-enableFips false)
  AdminConfig.save()
if sys.argv[0].lower()=="enable":
  print 'Enabling the FIPS140-2'
  enableFIPS("FIPS140-2")
elif sys.argv[0].lower()=="disable"
  disableFIPS()

FIPS Compliance-Part II. IBMJCEFIPS not found for IBMSecureRandom

TL;DR

Add the following lines to the java.security ([java_homedir]/jre/lib/security/java.security) file:

security.provider.1=com.ibm.securerandom.provider.IBMSecureRandom
security.provider.2=com.ibm.crypto.provider.IBMJCE

Explanation of the issue:

After enabling the FIPS compliance you might encounter the following errors in the log file once you try to restart the Application server:

Log details:

com.ibm.websphere.ssl.JSSEHelper.getSSLContext 704
com.ibm.ws.security.orbssl.WSSSLServerSocketFactoryImpl.createSSLServerSocket 459
com.ibm.ws.orbimpl.transport.WSTransport.createServerSocket 1439
com.ibm.ws.orbimpl.transport.WSTransport createServerSocket P=312105:O=0:CT ORBX0390E: Cannot create listener thread.
Exception=[ org.omg.CORBA.INTERNAL: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_SERVER_SOCKET,
Exception=com.ibm.websphere.ssl.SSLException:
java.lang.RuntimeException: Provider IBMJCEFIPS not found for IBMSecureRandom
vmcid: 0x49421000 minor code: 77 completed: No - received while attempting to open server socket on port 1072 ].
com.ibm.ws.orbimpl.transport.WSTransport.startListening 805
com.ibm.ws.orbimpl.transport.WSTransport.createListener 724

The easiest way to fix it is by adding the missing IBM SecureRandom provider into the list before the IBM JCE provider inside the java.security ([java_homedir]/jre/lib/security/java.security):

security.provider.1=com.ibm.securerandom.provider.IBMSecureRandom
security.provider.2=com.ibm.crypto.provider.IBMJCE

FIPS Compliance-Part I. How to enable the FIPS

How to Enable the FIPS in WebSphere Application Server?

Login to the web console (http[s]://[hostname]:port/ibm/console) and navigate to:

1. Security > SSL certificate and key management.
2. Go to Manage FIPS
3. Select the check box to Use the United States Federal Information Processing Standard (FIPS 140-2) algorithms
4. Click Apply.
5. Save the configuration changes.

Next, set the environment variable to restrict the IBMJSSE2 provider to FIPS-compliant algorithms:

1. Servers > Application servers, and choose your application server
2. In the 'Configuration' tab, select the Server Infrastructure field
3. Click on the Java and Process Management > Process Definition
4. In the Additional Properties field, click Java Virtual Machine
5. Inside the Generic JVM Arguments field add the value: -Dcom.ibm.jsse2.usefipsprovider=true
6. Or, add the -Dcom.ibm.jsse2.usefipsprovider=true property to the jvm.options file

Finding the WebSphere Admin Console Port

TL;DR

locations of the files with all the ports including the ibm/console ports:

$WAS_HOME/profiles/[profileName]/config/cells/[cellName]/virtualhosts.xml

$WAS_HOME/profiles/[profileName]/config/cells/[cellName]/nodes/[dmgrName]/serverindex.xml

serverindex.xml

After the default installation of the WAS (Websphere Application Server) you can find the console located under the following URLs:

http://[hostname]:9060/ibm/console

or the SSL (secure connection) under the following URL:

https://[hostname]:9043/ibm/console

These ports are defined inside the virtualhosts.xml and serverindex.xml files that can be found in the following locations:

$WAS_HOME/profiles/[profileName]/config/cells/virtualhosts.xml
$WAS_HOME/profiles/[profileName]/config/cells/[cellName]/nodes/[dmgrName]/serverindex.xml

IBM Websphere Application Server how to

Below, bunch of very useful links regarding the IBM Websphere Application Server.

Here you can find information regarding the software installation, installation manager, policies, development, JEE specifications, compare IBM Websphere products, get the technical overview as well as the Update and the New features guide, tunning and performance tips, migration and upgrade guides.

Enjoy! 

Supported hardware and software information

http://www-03.ibm.com/software/products/en/appserv-was

http://publib.boulder.ibm.com/infocenter/prodguid/v1r0/clarity/index.html

IBM Support Policies

http://www-1.ibm.com/support/docview.wss?uid=swg21256700

http://www-01.ibm.com/software/support/lifecycle/lc-policy.html

http://www-01.ibm.com/common/ssi/cgibin/ssialias?subtype=ca&infotype=an&appname=iSource&supplier=877&letternum=ENUSZP13-0568

Installation Manager and Managing Repositories

http://www.ibm.com/developerworks/websphere/library/techarticles/1201_seelemann/1201_seelemann.html

http://www.ibm.com/support/docview.wss?uid=swg27023967&aid=1

http://www.ibm.com/developerworks/websphere/techjournal/1301_seelemann/1301_seelemann.html?ca=drs-

The Ideal WebSphere Development Environment

http://www.ibm.com/developerworks/websphere/techjournal/0312_beaton/beaton.html

Web Server plug-in technotes and Merge tool

http://www-1.ibm.com/support/docview.wss?uid=swg21160581

http://www-01.ibm.com/support/docview.wss?uid=swg21139573

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-ndmp&topic=twsv_configsimplelb

WebSphere supported Specification levels and pointers to JEE specifications

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=rovr_specs

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-ndmp&topic=rovr_specs_javaee7

WebSphere AppServer API Deprecations, removals and stabilizations

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-ndmp&topic=rmig_deprecationlist

Changes in Default behavior

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-ndmp&topic=rmig_defaultvalue

WebSphere Application Server V8.5 Concepts, Planning, and Design Guide

http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg248022.html?Open

Migrating WebSphere Compute Grid or Feature Pack for Modern Batch

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-ndzos&topic=container_computegrid_migrating_cg

Webcast replay: WebSphere Application Server V61 for z/OS Exit Plan

http://www.ibm.com/support/docview.wss?uid=swg27035994&myns=swgws&mynp=OCSS7K4U&mync=E

WebSphere Training and Technical Enablement

http://www-01.ibm.com/software/websphere/education/

IBM Education Assistant

http://www.ibm.com/software/info/education/assistant/

https://mediacenter.ibm.com/channel/t/33964822

What's new in WebSphere Application Server v7.0

http://www.ibm.com/developerworks/websphere/library/techarticles/0809_alcott/0809_alcott.html

What’s new in WebSphere Application Server v8.0

http://www.ibm.com/developerworks/websphere/techjournal/1106_alcott/1106_alcott.html

What's new in WebSphere Application Server V8.5

http://www.ibm.com/developerworks/websphere/techjournal/1206_alcott/1206_alcott.html

WebSphere Application Server V8.5.5 Technical Overview

http://www.redbooks.ibm.com/redpapers/pdfs/redp4855.pdf

WebSphere Application Server: New Features in V8.5.5

http://www.redbooks.ibm.com/redpapers/abstracts/redp4870.html?Open

WebSphere Application Server V9 Update

https://mediacenter.ibm.com/media/WebSphere+Application+Server+V9+technical+update/0_ttxciunh/33964822

Properties based configuration

http://www.ibm.com/developerworks/websphere/techjournal/0904_chang/0904_chang.html

http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=/com.ibm.websphere.base.doc/ae/rxml_7propbasedconfig.html

http://www.ibm.com/support/docview.wss?uid=swg27039420

System administration in WebSphere Application Server V8.5, Part 1:An overview of new administrative features and enhancements

http://www.ibm.com/developerworks/websphere/techjournal/1206_cheng/1206_cheng.html

System administration in WebSphere Application Server V8.5, Part 2:Using the Centralized Installation Manager

http://www.ibm.com/developerworks/websphere/techjournal/1206_wong/1206_wong.html

System administration in WebSphere Application Server V8.5, Part 3:High Performance Extensible Logging (HPEL)

http://www.ibm.com/developerworks/websphere/techjournal/1208_bourne/1208_bourne.html

System administration in WebSphere Application Server V8.5, Part 4:Using pluggable SDK 7

http://www.ibm.com/developerworks/websphere/techjournal/1209_hall/1209_hall.html

IBM Techdocs Whitepapers on WAS Migration case studies, including other IBM products

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101455

Migrating to Version 7.0 - zOS

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101329

WAS z/OS Migration Performance Study

http://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101589

Case study: Tuning WebSphere Application Server V7 for performance

http://www.ibm.com/developerworks/websphere/techjournal/0909_blythe/0909_blythe.html

WebSphere Application Server V7 Migration Guide

http://www.redbooks.ibm.com/redpieces/abstracts/redp4635.html

Changing host names and migrating profiles

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-ndmp&topic=tagt_hostname

http://www.ibm.com/developerworks/websphere/techjournal/0905_webcon/0905_webcon.html

IBM Techdocs Whitepapers on WAS Migration case studies, including other IBM products

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101455

Migrating to Version 7.0 - zOS

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101329

WAS z/OS Migration Performance Study

http://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101589

Case study: Tuning WebSphere Application Server V7 and V8 for performance

http://www.ibm.com/developerworks/websphere/techjournal/0909_blythe/0909_blythe.html

WebSphere Application Server V7 Migration Guide

http://www.redbooks.ibm.com/redpieces/abstracts/redp4635.html

WebSphere Application Server V8.5 Migration Guide

http://www.redbooks.ibm.com/abstracts/sg248048.html

Changing host names and moving profiles

http://www.ibm.com/developerworks/websphere/techjournal/0905_webcon/0905_webcon.html

Migrating cell configurations to new host machines

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nddist&topic=tmig_migrate_remote_commandline

Migration – Application Installation problems

http://www-01.ibm.com/support/docview.wss?uid=swg27008724&aid=13

Rational Application Developer Performance Tips

http://www.redbooks.ibm.com/abstracts/sg246449.html

WDT and WAS Application Server for Development

http://www.ibm.com/developerworks/downloads/ws/wasdevelopers/

JDK Compatibility

http://www.oracle.com/technetwork/java/javase/8-compatibility-guide-2156366.html

http://www.oracle.com/technetwork/java/javase/compatibility-417013.html

http://www.oracle.com/technetwork/java/javase/compatibility-137541.html

J2EE class loading

http://www.ibm.com/developerworks/websphere/library/techarticles/0112_deboer/deboer.html

Migration from Apache SOAP to WebServices

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-basedist&topic=rwbs_migrate

JavaServer Pages specific Web container custom properties

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-ndmp&topic=rweb_jsp_custom_props

JMS Listener to Message Driven Bean migration

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-ndmp&topic=tmj_adm32_

JDK 5/6/7 Tuning

http://www.ibm.com/support/docview.wss?uid=swg27013824

Using Spring and Hibernate with WebSphere Application Server

http://www.ibm.com/developerworks/websphere/techjournal/0609_alcott/0609_alcott.html

WebSphere Application Server Migration Toolkit

http://www.ibm.com/developerworks/websphere/downloads/migtoolkit/index.html

https://developer.ibm.com/wasdev/docs/migration/

https://developer.ibm.com/wasdev/docs/migration-toolkit-application-binaries/

https://developer.ibm.com/wasdev/downloads/#asset/tools-WebSphere_Application_Server_Migration_Toolkit

https://developer.ibm.com/wasdev/downloads/#asset/tools-Migration_Toolkit_for_Application_Binaries

Using other WebService engines in WAS

http://www.ibm.com/developerworks/websphere/library/techarticles/1001_thaker/1001_thaker.html

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-ndmp&topic=twbs_thirdparty

JSF Migration

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-ndmp&topic=cweb_jsfmigrate

WebSphere Application Server V8.5 Migration Guide

http://www.redbooks.ibm.com/redpieces/abstracts/sg248048.html

Resolving Open Source issues

http://www-01.ibm.com/support/docview.wss?uid=swg21639407

UrbanCode Deploy

https://developer.ibm.com/urbancode/products/urbancode-deploy/

https://developer.ibm.com/urbancode/plugin/websphere-application-server-configure/

Introducing the Visual Configuration Explorer

http://www.ibm.com/developerworks/websphere/techjournal/0710_supauth/0710_supauth.html

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1139

IBM Support Assistant

https://www-01.ibm.com/software/support/isa/

Best Practices for Configuring and Managing Large WebSphere Topologies

http://www.ibm.com/developerworks/websphere/library/techarticles/0710_largetopologies/0710_largetopologies.html

wsadmin Primer

http://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101014

IBM SDK, Java Technology Edition

http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/welcome/welcome_javasdk_version.html

http://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/welcome/welcome_javasdk_version.html

JACL to Jython conversion assistant

http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012144

CurrentFunctionPath - resolving function and stored procedure references

Whenever you are getting the error for trying to access particular function via stored procedure, and you get the error, most probably the CurrentFunctionPath does not include the valid (or contains not enough) schema names.

The CurrentFunctionPath is a property, and can contain one or more schema names, separated by commas and enclosed in double quotation marks. Also, the order of the defined schemas determines the orders in which the function and procedure names are resolved.

The default value is the default CURRENT PATH (or CURRENT_PATH) special register setting at the database server.

Git commands for the beginners. Part I

To create a new repository:

git init

To checkout from the existing repository, use:

git clone username@host:/path/to/repository

To create a copy of the existing local repository:

git clone /path/to/repository

Use: https://github.com