Front cover IBM WebSphere Portal V6 Self Help Guide Key recommendations for optimal configuration and use Problem avoidance, determination, and resolution Best practices for security and maintenance Philip Monson Fang Feng Jerry Dancy Shadi Albouyeh Chakravarthy Kunapareddy Stephanie Martin James Roca...
Page 3
International Technical Support Organization IBM WebSphere Portal V6 Self Help Guide January 2008 REDP-4339-00...
IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead.
UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. viii IBM WebSphere Portal V6 Self Help Guide...
Philip Monson is a Project Leader at the ITSO Lotus® Center in Cambridge MA. Phil has been with Lotus / IBM for 17 years, joining the company when the early versions of Notes were rolled out for internal use only. He has served in management, technical, and consulting roles in the IT, Sales, and Development organizations.
IBM Workplace™ for Customer Support Portal. James Roca is a Senior Consulting IT Architect with the IBM Software Group. He has spent the last two and a half years assigned to the Asia Pacific region to build and promote technical skills, and to champion leading edge Portal architectures.
Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you will develop a network of contacts in IBM development labs, and increase your productivity and marketability. Find out more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.html...
Page 14
IBM WebSphere Portal V6 Self Help Guide...
Document Manager, and Personalization, among others. For customers who are looking to install and configure a enterprise deployment of WebSphere Portal Server Version 6, refer to the IBM Redbooks publication, WebSphere Portal Version 6 Enterprise Scale Deployment Best Practices, SG24-7387.
Figure 1-1 shows an overview of IBM accelerators for WebSphere Portal. Figure 1-1 IBM Accelerators for WebSphere Portal IBM WebSphere Portal Version 6 is an enterprise portal solution with the complete portal services that are necessary to deliver a single point of personalized interaction to applications, content, business processes, and people for a unified user experience.
Figure 1-2 shows an example of a business portal solution. Figure 1-2 Example of business portal solution IBM WebSphere Portal Version 6.0 delivers new features, functions, and performance that helps to improve the efficiency of your organization, the speed of your application deployment, and the utilization of your IT assets.
Responsiveness and reliability, delivered by a leader in the enterprise portal market. 1.4 Administration improvements There are a number of enhancements and new features in Version 6 that are central to administration. Some of the highlights include: Portal configuration management integrated with WebSphere Application Server configuration management for easier operation of clustered portal installation, less manual steps, and reduced risk for failure.
137”, we discuss how topology, application design, back- and front-end resources, and other factors can greatly impact the user experience and provide information about monitoring tools that can help to prevent bottlenecks. IBM WebSphere Portal V6 Self Help Guide...
Page 21
Functional challenges, can affect even the best thought out and executed deployments. In Appendix A, “Using IBM tools to find solutions and promote customer self-help” on page 169, we discuss the usage of the various support tools to enable customers to self- recover from operational challenges more quickly.
Page 22
IBM WebSphere Portal V6 Self Help Guide...
Architecture and planning Chapter 2. IBM understands and recognizes that many customers need to make important decisions about their WebSphere Portal Server solution, both prior to and during a deployment. With intimate knowledge of the challenges and pitfalls that go hand in hand with managing...
It is acknowledged that the principles of good architectural design and development go hand in hand with the adoption of a suitable methodology. Indeed, the IBM Global Services Method (GS-Method or GSM) has been the basis for many successful WebSphere Portal Server deployments.
Instead, they prefer to purchase Commercial-Off-The-Shelf (COTS) portlets or to use wizard driven development, as found in IBM Rational® Application Developer and IBM Portlet Factory. Middleware Integration In a subtle distinction from Application or Programmatic Integration, Middleware Integration commonly involves the deployment of an intermediary.
Page 26
Not universally queue entry point. implemented. Synchronous Yes. Custom Invocation implementation. Asynchronous Yes. Yes. EIS-specific. Invocation Event Driven Yes. Yes. EIS-specific. Reliable Payload Standard Defined. Yes. EIS-specific - Delivery Functionality provided by actual adapters. IBM WebSphere Portal V6 Self Help Guide...
The following recommendations are made with regards to the selection of the most appropriate connectivity technology: Use Web Services when portability or interface standardization is a prime concern. Use Messaging when high QoS constraints and loose coupling or asynchronous invocation is needed. Use JCA when high QoS constraints and synchronous invocation are needed.
The following non-functional requirements are documented to articulate the critical elements of a successful implementation: Availability Backup and Recovery Capacity Estimates and Planning Disaster Recovery Extensibility/Flexibility Failure Management Performance Scalability Security Service Level Agreements Standards System Management Usability Tip: A non-functional requirement is not well specified if it is not specific or measurable. Attainability and measurability are checks that should be performed against each requirement.
As such, it is strongly recommended that IBM is engaged during this crucial period of any implementation, if not at any other time during a project.
Page 32
In inbound mode, WPS uses adapters to trigger the integration application by the event occurring in the EIS system. For example, an adapter can be deployed on WPS to synchronize product information across multiple enterprise IBM WebSphere Portal V6 Self Help Guide...
Page 33
information systems. A modification of the product information on one EIS triggers a business application that processes the data and propagates it to the other enterprise information systems. LDAP Directory Server A directory is often described as a database, but it is in fact a specialized database that has unique characteristics that set it apart from that of general purpose relational databases.
For example, the failover from a network connection failure has different fail-over characteristics from that of a WebSphere Portal Server cluster member JVM crash. System Example: Integration of system event monitoring with client X’s enterprise Management monitoring infrastructure. IBM WebSphere Portal V6 Self Help Guide...
2.3 Operational architectures Increasingly, WebSphere Portal Server customers are interested in deploying a Portal in a business critical environment. However, such a requirement raises the question about how best to address such needs in terms of selecting the most appropriate operational architecture.
Page 36
As such, the decision to implement this approach rests with the comfort factor of each particular organization. Figure 2-2 on page 23 illustrates the system topology needed for a WebSphere Portal Server V6.0.x single clustered architecture. IBM WebSphere Portal V6 Self Help Guide...
Page 37
Firewall Load Balancer Load Balancer HTTP Cluster HTTP Server HTTP Server HTTP Server HTTP Server node: ebizWS01 node: ebizWS02 node: ebizWS01 node: ebizWS02 Firewall WebSphere_Portal_3 WebSphere_Portal_7 WebSphere_Portal_3 WebSphere_Portal_7 Portal Cluster WebSphere_Portal_2 WebSphere_Portal_6 WebSphere_Portal_2 WebSphere_Portal_6 WebSphere_Portal_1 WebSphere_Portal_5 WebSphere_Portal_1 WebSphere_Portal_5 WebSphere_Portal_4 WebSphere_Portal_4 WebSphere_Portal WebSphere_Portal WAS Cell...
Page 38
One “Line of Production” can effectively be taken off line, as and when required, without impacting the remaining “Line of Production”. Critically, the ability to share user customization and IBM WebSphere Portal V6 Self Help Guide...
Page 39
WebSphere Portal Server V5.1.x and earlier. Failing to implement such an architecture would otherwise necessitate deploying a single clustered instance of WebSphere Portal Server and adopting either the IBM documented 24x7 Portal maintenance procedure or the use of a secondary maintenance environment.
Page 40
Indeed, such an architecture when deployed sacrificed the ability for a user to make any customization or personalization modifications, as the changes simply could not IBM WebSphere Portal V6 Self Help Guide...
For more information about WebSphere Extended Deployment refer to: WebSphere Extended Deployment (XD) 6.0.2 support for WebSphere Portal Server, found http://www.ibm.com/support/docview.wss?uid=swg21264596 WebSphere Extended Deployment (XD) 6.0.x Information Center, found at: http://www.ibm.com/software/webservers/appserv/extend/library/library60x.html 2.4 Portal deployment considerations Three principle methods exist for implementing maintenance in a WebSphere Portal Server V6.0.x production environment.
Alternatively, in-situ maintenance can be performed by adhering to the IBM documented 24x7 maintenance procedure. However, while this latter approach represents a distinct improvement over the...
caveat that WebSphere Portal Server prior to V6.0.x did not support database domains, the possibility that such data could be readily shared between Portal instances was not feasible; the only option was the one-way transfer of such data between environments. Finally, the need to undertake any so-called backend plumping, to those systems and services being integration through Portal, warranted significant time and effort to ensure a satisfactory outcome.
2.5.1 Scalability As mentioned previously, the ability to scale WebSphere Portal Server V6.0.1, or any other WebSphere Application Server for that matter, is essentially achieved by clustering. Clustering allows requests to be Workload Managed (WLM'ed) between a number of cloned copies of the concerned application.
Tip: Our experience has shown that many customers fail to implement vertical clustering when horizontal clustering is implemented to address the needs of high availability. As such, it is an IBM recommended best practice that both vertical and horizontal clustering are implemented to address the needs of scalability, high availability, and operational availability.
The ability to queue requests in the network layer is a critical part of the WebSphere queuing mechanism. For example, if there are more connection requests than available Web container threads, then connections start to backlog, waiting for threads to be freed. If the maximum number of backlog connections is reached, new connections will be refused.
2.5.6 Separation of Web servers and WebSphere Portal Servers In most cases, unless the hardware cost is a limiting factor, it is an IBM recommended best practice to architect the Web server and WebSphere Portal Server on separate physical nodes.
CPU is able to provide execution time for at least one cluster member server that can handle the load. Since Version 1.3.x, the IBM JVM has supported multiple garbage collection (GC) helper threads to improve performance during the mark phase of GC.
Transaction Manager that can be leveraged. Finally, it follows that the size of the HttpSession object and the size of the permissible Java heap directly influence the number of users that Portal can concurrently support. Of course, scalability issues can be addressed by WebSphere clustering. IBM WebSphere Portal V6 Self Help Guide...
2.6 Security Security within the enterprise has become increasingly more important and complex as distributed systems and Internet technology have merged. The issue can hardly be ignored, as security breaches are announced in the news on a daily basis. While security is becoming increasingly more complex, technology has also provided us with better ways to implement and maintain security within an organization.
Key points to note about the out-of-the-box SSO provided with WebSphere Portal Server are: SSO is based on the Lightweight Third-Party Authentication (LTPA) token, which is an IBM proprietary standard. It is suitable for achieving SSO between WebSphere and Domino based products only.
Page 53
SSO capability. As mentioned previously, Tivoli Access Manager is just one such product that represents the IBM strategic enterprise-wide security offering. TAM consists of two main components: the Policy Server and the WebSEAL Reverse Authenticating Proxy server.
WebSphere Member Manager does an LDAP search to get group and additional attribute information from the LDAP. WebSphere Portal Server also queries the resource mappings from the Portal database, before displaying the applicable Portal pages. IBM WebSphere Portal V6 Self Help Guide...
All communication should be over SSL; the link from WebSEAL to the Web server must use client certificate authentication, and the same must be true for the link from the Web server to the embedded Web Container of the underlying WebSphere Application Server instance of WebSphere Portal Server.
Page 56
DB2. Common Auditing and Reporting Service (CARS) Tivoli Access Manager Version 6 also includes the new IBM Common Auditing and Reporting Service (CARS) platform, which provides a consistent way to collect audit events and report on the collected data.
One may wish to consider CARS as an alternative to exploiting the generic UNIX syslogd for centrally collecting audit events in a distributed environment, as the standard syslogd does not provide encryption or any guarantee of delivery by being based on UDP. 2.6.7 LDAP Directory Servers There are several aspects to LDAP Directory Server design that make the topic a non-trivial issue.
Page 58
LDAP directory version, for example, InetOrgPerson when using IBM Tivoli Directory Server (TDS) V6.0. This is sufficient for most organizations, as it was defined to meet the requirements found in today's internet and intranet directory service deployments.
Page 59
iteratively searching through the member list of all groups. A second limitation of the Lotus Domino LDAP implementation is that the number of members in a group is limited by the size of the field. To work around this issue, nested groups can be implemented, whereby members are divided across two or more groups and then each of these groups are added as members to the original group.
WebSphere Portal Server administrator. The WebSphere Portal Server schema is not published and IBM reserves the right to make modifications to the schema in future Portal Fix Packs. Any manual manipulation of the underlying data store is strongly discouraged, to the point that it will not be supported by IBM.
Page 61
In this section, we provide a high-level overview of the two of the most common deployment options. The dual cluster with Two Lines of Production architecture Figure 2-6 depicts a dual clustered WebSphere Portal Server V6.0.x architecture supporting “Two Lines of Production”. Each “Line of Production” consists of multiple WebSphere Portal Server cluster members and accesses that are effectively the same community, customization.
DB2 instances on the database server. The creation of multiple instances on the same physical server provides a unique database server environment for each environment or sub-system. For example, the primary WebSphere Portal Server instance and the IBM WebSphere Portal V6 Self Help Guide...
Troubleshooting Guide, SC23-4862 has the most current and comprehensive information about maintaining a cluster in a 24X7 environment. It can be found along with the other documentation for HACMP at the following Web site: http://www.ibm.com/servers/eserver/pseries/library/hacmp_docs.html HADR DB2 High Availability Disaster Recovery (HADR) provides a new alternative for delivering a high availability solution by replicating data from a source database, called the Primary, to a target database, called the Standby.
Page 64
AIX (as of DB2 ESE 8.2 FP 13) in the same manner, and same licensing terms, as Linux (TSA bundled with DB2 ESE 8.2 on Linux). All HACMP or TSA has to do is detect a node IBM WebSphere Portal V6 Self Help Guide...
failure and issue the TAKEOVER HADR command. There is no requirement to configure it to do any disk takeover, IP address takeover, or anything else, so the configuration is straightforward. When it detects that the Primary has failed, HACMP or TSA will run the TAKEOVER HADR ON DATABASE prod BY FORCE command, which will cause the Standby to become the Primary.
Page 66
For a complete listing of available patterns, consult the IBM Patterns for e-business Web site at: http://www.ibm.com/developerworks/patterns Adopt the Portal Build & Validate Methodology In establishing a Portal Build & Validate Methodology, we acknowledge that there are key milestones associated with any Portal deployment. Adopting such a methodology thus reduces the likelihood that an incorrectly installed component will go undetected, until such a time that a significant Portal failure results.
Page 67
Deployment and cutover plan Deployment can impose a great deal of change and stress for any organization. Therefore, ensuring a smooth deployment is a key factor in satisfying any stakeholder. A deployment and cutover plan, as such, should minimize the impact of the cutover with the stakeholder's staff, existing production systems and overall business routine.
Page 68
IBM WebSphere Portal V6 Self Help Guide...
Cloudscape. Other components might require additional steps; see the product documentation for the specific components you want to install for information. Preparing an AIX machine: http://publib.boulder.ibm.com/infocenter/wpdoc/v6r0/topic/com.ibm.wp.ent.doc/wp f/os_aix.html Preparing an HP-UX machine: http://publib.boulder.ibm.com/infocenter/wpdoc/v6r0/topic/com.ibm.wp.ent.doc/wp f/os_hpux.html IBM WebSphere Portal V6 Self Help Guide...
This section describes the different installation options for WebSphere Portal from the Quick installation scenario that gets WebSphere Portal up and running quickly with a completely integrated IBM Cloudscape database to the advanced installation scenarios that address special situations that might arise in your environment.
Page 72
WebSphere Application Server information in order for the install program to create the profile at this time. IBM WebSphere Portal V6 Self Help Guide...
Page 73
Location: C:\IBM\WebSphere\AppServer (Jul 30, 2007 5:32:48 PM), MultiPlatform.install, com.ibm.wps.install.DetectWpsAction, msg2, Number of currently installed WPS:0 (Jul 30, 2007 5:32:48 PM), MultiPlatform.install, com.ibm.wps.install.DetectWpsAction, msg2, No WAS with WPS detected After the system completes validation, the installer proceeds with the WebSphere Application Server profile creation, the WebSphere Portal Installation, and the enable security configuration task.
Page 75
Figure 3-1 Empty Portal default page Attention: IBM is no longer supporting the "action-empty-portal" to clean out the Portal system and build it up from there since this has resulted in too many unresolveable issues. This procedure goes outside of what "action-empty-portal" was intended for, so the "action-empty-portal"...
This is one of the choices that downloads the WebSphere Portal Enable V6.0 image for the Linux OS. If you are a customer using Passport Advantage to download images from the Web, or if you have access to the appropriate IBM internal software through Business Partner IBM WebSphere Portal V6 Self Help Guide...
Access the search mechanism on the Web site that you use to download software images. – IBM Passport Advantage: http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm – IBM Passport Advantage - Direct Link To Customer Login: https://www.ibm.com/software/howtobuy/passportadvantage/paocustomer Type the e-Assembly or e-Assy to locate the offering.
By default, WebSphere Portal Server automatically installs and stores its predefined data in the IBM Cloudscape Database, as shown in Figure 3-2. While the IBM Cloudscape Database may be the suitable choice in small scale deployments, organizations looking to leverage the enterprise-wide capacity attributes of a database management system should continue with the following sections.
For additional information about planning for your database infrastructure, refer to 2.7, “Database considerations” on page 46. IBM WebSphere Portal V6 Self Help Guide...
Database domains With WebSphere Portal Server V6, the content repository has been separated into database domains. The separation of domains increases the flexibility for organizations by permitting: Single instances of WebSphere Portal Server to share portal data without clustering. Sharing of portal data among portal clusters allowing for multiple lines of production, allowing organizations to comply with high availability requirements.
Page 82
“database transfer with WebSphere Portal Version 6” and review all TechNotes surrounding this topic. Refer to Appendix A, “Using IBM tools to find solutions and promote customer self-help” on page 169 for more information.
Check the InfoCenter to reconfirm that you have met all the prerequisites for hardware, software, and configuration for your database server and client. Problem Avoidance: Use the IBM Support Assistant to perform a search on “database transfer and WebSphere Portal V6” to review all TechNotes and solutions associated with this task.
Page 84
Once this task is complete, you will need to stop the WebSphere Portal server and server1 and, upon stopping the servers, you will be ready to run the database transfer command as follows: For UNIX: ./WPSconfig.sh database-transfer -Drelease.DbPassword=password-Dcustomization.DbPassword=password -Dcommunity.DbPassword=password -Djcr.DbPassword=password -Dwmm.DbPassword=password -Dfeedback.DbPassword=password -Dlikeminds.DbPassword=password IBM WebSphere Portal V6 Self Help Guide...
For Windows: WPSconfig.bat database-transfer -Drelease.DbPassword=password -Dcustomization.DbPassword=password-Dcommunity.DbPassword=password -Djcr.DbPassword=password -Dwmm.DbPassword=password -Dfeedback.DbPassword=password -Dlikeminds.DbPassword=password The task will prepare for the configuration by deleting the existing /work directory, creating it, and then copying the relevant files for each domain into the directory. The task will then attempt to stop the WebSphere Portal server and admin server in order to proceed with the copying of the database properties.
Portal Server to it. Like the database, the performance of the LDAP is vital to the usability of your portal and poor LDAP performance can render your portal inoperable. In this section, we discuss some inspection points that should be made. IBM WebSphere Portal V6 Self Help Guide...
Page 87
System requirements It is important to conduct a preliminary review of your system hardware and software in both new and existing LDAP infrastructures to ensure that they meet the supported levels for WebSphere Portal Server. The InfoCenter is routinely updated with specific versions and recommended compatible levels of configuration, If you are considering an upgrade to your LDAP implementation, we advise you to refer to 3.1.1, “How do I prepare my system for before...
LDAP is operational. – Anonymous search: ldapsearch -s base -h ldaphostname “objectClass=*” – Using a Bind ID: ldapsearch -h ldaphostname -D “cn=wpsbind,o=co” -w “wpsbind” -s base “objectClass=*” IBM WebSphere Portal V6 Self Help Guide...
Page 89
Note: Performing LDAP searches using an utility is one of the initial ways to troubleshoot directory problems. If you do not receive results and have confirmed that the problem is not user based (typos or extra spaces), it may indicate an underlying problem with the LDAP directory or network.
Page 90
“enable security with WebSphere Portal Version 6” and review all TechNotes surrounding this topic. Refer to Appendix A, “Using IBM tools to find solutions and promote customer self-help” on page 169 for more information.
LDAP, including the latest WebSphere Member Manager fixes. Problem Avoidance: Use the IBM Support Assistant to perform a search for “enabling security and WebSphere Portal V6” to review all TechNotes and solutions associated with this task.
Page 92
WebSphere Portal configuration properties LDAP Properties Configuration Advanced LDAP Configuration IBM Workplace Web Content Management Properties (If you wish to configure WCM in your WebSphere Portal environment) You will also need to locate the wpconfig_dbdomain.properties file, which you will also need to create a backup of before changing any values.
→ Tivoli Directory Server/IBM SecureWay/Domino Directory/Active Directory/Novell eDirectory/Sun™ System Directory Server → Configuring (your specific LDAP user registry name here) → non-realm/realm support in the InfoCenter at: http://publib.boulder.ibm.com/infocenter/wpdoc/v6r0/index.jsp Once the files have been modified, you will need to save them and stop the WebSphere Portal server.
The initial sections of this chapter outline the contents of the wpsinstall.log for each installation scenario so you should be familiar with the events that take place during the installation of WebSphere Portal. This understanding IBM WebSphere Portal V6 Self Help Guide...
Chapter 8, “Troubleshooting and monitoring“, of WebSphere Portal Version 6 Enterprise Scale Deployment Best Practices, SG24-7387, found at: http://www.redbooks.ibm.com/redbooks/SG247387/wwhelp/wwhimpl/js/html/wwhelp.htm The general approach described in that IBM Redbooks publication can, if followed, help you determine the failures for many different error messages that can occur during the installation of WebSphere Portal.
If you are unsuccessful after reviewing your configuration and using various support tools to help you debug, you may need to engage support. Refer to Appendix A, “Using IBM tools to find solutions and promote customer self-help” on page 169 for information about how to prepare your logs before engagement.
Page 97
Incorrect privileges for the LDAPBindID Unless anonymous searches are allowed, the LDAPBindID should have, at a minimum, permission to read and search a subset of the Directory Information Tree specified in the LDAP suffix entry. Confirm the privileges of your LDAPBind user if anonymous access is not allowed.
Page 98
IBM WebSphere Portal V6 Self Help Guide...
WebSphere Portal security Chapter 4. IBM WebSphere Portal provides personalized access to applications and processes, ranging from small and simple applications to complex enterprise information systems. It aggregates the content from different data sources to provide a single user interface for centralized display and management.
WebSphere Portal security. 4.1.1 The basics IBM WebSphere Portal provides personalized access to applications and processes, ranging from small and simple applications to complex enterprise information systems. It aggregates the content from many different data sources to provide a single user interface for centralized management.
Client 2 Client 1 Client 3 Authentication WSAS Reverse Proxy Internet PUMA Web Server Plugin User Registry (e.g. LDAP) Portal Database Backend Backend Backend Systems Systems Systems Figure 4-1 The general view of a WebSphere Portal deployment 4.1.2 WebSphere Member Manager (WMM) WebSphere Member Manager for WebSphere Application Server handles member data and profiles.
Page 102
The memberUniqueId in WMM can be mapped to a unique attribute in the LDAP server. The examples of memberUniqueId might be ibm-entryUUID for IBM Tivoli Directory Server, or objectGUID for Microsoft Active Directory. Depending on your usage of member profile data, you may want to use the memberDN or both the memberDN and the memberUniqueId.
When an application, such as WebSphere Portal, uses Member Manager, the application may have its own application-specific repository for data that is related to the member in Member Manager. This means the application needs a linkage for the data of a member managed by Member Manager and its own application-specific data for the same member.
(for the duration of the session) as a basis for access to other applications, systems, and networks. In the context of IBM WebSphere Portal, there are two single sign-on realms: the realm from the client to portal and other Web applications and the realm from the portal to the back-end applications.
For all details about SSO, LTPA and related topics, refer to the WebSphere Application Server Information Center. 4.1.5 WebSphere Portal login process It is very important to understand the basic login process in WebSphere Portal security. It is the key in finding the cause of problems in many failure scenarios. By default, WebSphere Portal security configuration is set up as a form-based login.
Page 106
Portal administration GUI, the security context is the current user credentials. Portal Scripting Interface Triggers the WebSphere Application Server and Portal Login by the Portal Scripting MBean. The user credentials are taken from the $Login scripting command. IBM WebSphere Portal V6 Self Help Guide...
Login To obtain details, refer to the white paper Understanding and configuring WebSphere Portal login and logout, found at: http://www.ibm.com/developerworks/websphere/library/techarticles/0706_buchwald/070 6_buchwald.html 4.1.6 Portal Access Control (PAC) The access level of a user to a portal resource is measured by the actions he can apply on the resource.
Page 108
When WebSphere Portal is configured to use an external authorization engine, such as the Tivoli Access Control authorization server, portal provides a set of Service Provider Interfaces (SPIs) that can directly interact with Portal Access Control Engine by calling ExternalAccessControlSerivce. IBM WebSphere Portal V6 Self Help Guide...
Page 109
When the PAC configuration is to be persisted, the datastore persistence layer is called to pass the configuration data to the portal database. The Portal Access Control runtime decision module has to retrieve the persisted permission data through the datastore persistence layer.
Tivoli Access Manager for e-business (TAM). The integration of WebSphere Portal and TAM provides a single central authentication point for one or more systems and other Web applications, thus providing easier management of security assets. IBM WebSphere Portal V6 Self Help Guide...
WebSEAL, a component in Tivoli Access Manager, acts as a reverse proxy server that intercepts all Web requests coming into the portal Web site. When a protected resource is accessed and the user has not been authenticated, WebSEAL challenges the user by consulting with its authorization server (policy server) and the user registry, so the reverse proxy is able to verify the user’s identity and pass the user’s identity info through iv-user and iv-creds in the HTTP header to WebSphere Application Server.
LDAP server, if extIds are mapped to a unique attributes created by the LDAP system, such as ibm-entryUUID (IBM Tivoli Directory Server), or objectGUID (Microsoft Active Directory). Thus, the simple procedure of “disable-reenable” security may wipe out all of the Portal Access Control configuration.
In the following discussion, we assume the user IDs used for the purposes above are all different. After the discussion, readers can easily extrapolate the cases if the user IDs may play multiple roles. The portal Admin user’s password is not stored in any of the portal databases, unless the security is enabled using the database as the user registry, such as the default WMMUR DB.
SvrSslCfg sequentially. This task creates a user account and server entries that represent the WebSphere Portal, and in addition, the file PdPerm.properties and a Java key store file are created locally under the Java runtime directory on the portal server box. This IBM WebSphere Portal V6 Self Help Guide...
Page 115
client certificate permits portal server to use TAM authentication services. The default expiration date of this client certificate is 365 days. Important: If the TAM runtime is not configured before, run-svrssl-config should be run first to set up the environment. Important: Update the client certificate before it expires.
WebSphere Portal to understand the general procedures in troubleshooting their problems. 4.3.1 General problem determination recommendations Here we discuss some general problem determination recommendations. IBM WebSphere Portal V6 Self Help Guide...
Page 117
Document system changes You should always document the system changes made, no matter whether it is a configuration change, or deployment of applications, or a Fix Pack or interim fixes. The change logs should be made available online, such that other people have access to them later even after you have left the project.
Page 118
DN and an LDIF output of the attributes and the groups the user belongs to. Save all the relevant documents for analyzing security related problems, and collect WMM configuration files in <wp_root>/wmm directory, wpconfig.properties, security.xml, and log IBM WebSphere Portal V6 Self Help Guide...
files, such as ConfigTrace.log, SystemOut.log, and SystemErr.log, as well as trace.log, if any traces are enabled. Always keep the evidence for the “crime scene”. A verification checklist of a working system with security enabled After the security is enabled, the first thing we would like to do is to verify whether the configuration is correct.
Page 120
TechNotes that contain some typical cases for security related problems, covering a broad range of problems encountered in debugging portal security problem. They are accessible at: http://www-1.ibm.com/support/docview.wss?rs=688&uid=swg21236371 For most Portal security related problems, we recommend WMM traces (<wmmbase>): com.ibm.websphere.wmm.*=all:com.ibm.ws.wmm.*=all:WSMM=all IBM WebSphere Portal V6 Self Help Guide...
Page 121
<base>. Depending on the special scenarios you have, you may want to attach the additional strings shown in Table 4-5. Table 4-5 Trace strings for security problems Problem Trace strings Portal application server startup com.ibm.ws.security.*=all without realm <wmmbase>:com.ibm.ws.security.*=all with realm Single sign-on <base>:com.ibm.ws.security.*=all Portal login <base>...
Page 122
Depending on the settings on the memory buffer, a certain amount of memory on the heap will be used for the logging. We recommend setting the traces when you want to recreate the scenario and disable them when the recreation of the scenario is completed. IBM WebSphere Portal V6 Self Help Guide...
When the traces are enabled statically, the trace specification should be shown at the top of the log: [8/2/07 11:51:32:609 EDT] 0000000a ManagerAdmin I TRAS0017I: The startup trace state is *=info:com.ibm.ws.wmm.*=all:com.ibm.websphere.wmm.*=all:WSMM=all:com.ibm.ws.securi ty.*=all:com.ibm.wps.engine.commands.*=all:com.ibm.wps.puma.*=all:com.ibm.wps.serv ices.puma.*=all:com.ibm.wps.services.authentication.*=all:com.ibm.wps.sso.*=all. When the traces are enabled dynamically, there should be a line like the following: [8/21/07 9:39:14:656 EDT] 00000046 ManagerAdmin I TRAS0018I: The trace state has changed.
Page 126
WebSphere variable ${WMM_CONFIG_PATH} created during cluster creation. Example 4-5 shows the third segment of the sample security.xml file. Example 4-5 Sample security.xml: the third segment <applicationLoginConfig xmi:id="JAASConfiguration_1"> <entries xmi:id="JAASConfigurationEntry_1" alias="ClientContainer"> <loginModules xmi:id="JAASLoginModule_1" moduleClassName="com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy" authenticationStrategy="REQUIRED"> IBM WebSphere Portal V6 Self Help Guide...
Page 128
<users xmi:id="UserExt_1157057598297" name="cn=asdf,ou=people,ou=dept,o=acme.com"/> </authorizations> <roles xmi:id="SecurityRoleExt_1" roleName="administrator"/> <roles xmi:id="SecurityRoleExt_2" roleName="operator"/> <roles xmi:id="SecurityRoleExt_3" roleName="configurator"/> <roles xmi:id="SecurityRoleExt_4" roleName="monitor"/> </rolebasedauthz:AuthorizationTableExt> You can see that two users, wpsbind and wpsadmin, were assigned the Administrator role and the Monitor role. IBM WebSphere Portal V6 Self Help Guide...
Page 129
WebSphere Member Manager (WMM) configuration files The main configuration files for the WebSphere Member Manager (WMM) are inside the directory <portal_root>/wmm, which is outside of the scope of the WebSphere Application Server. In a clustered environment, in order for the Deployment Manager (Dmgr) to be able to synchronize the files with the nodes in the cell, these WMM files are copied into <wsas_profile_root>/config/cells/wmm.
Page 131
<supportedLdapEntryType name="Group" rdnAttrTypes="cn" objectClassesForRead="groupOfUniqueNames" objectClassesForWrite="groupOfUniqueNames" searchBases="ou=groups,ou=dept,o=acme.com"/> </supportedLdapEntryTypes> </ldapRepository> </repositories> </wmm> Within the WMM configuration, the default realm name is set to portal. If you prefer a different name, you can choose one and set it to “WmmDefaultRealm” in wpconfig.properties, and then run the security configuration task, or you can change it after the security is enabled, by modifying defaultRealmName in wmm.xml, and the name of “default”...
Page 132
/realm> <realm id="intranet" delimiter="@" default="false"> node wmmnode=”uid=wpsadmin,ou=people,ou=dept,o=acme.com”/> node wmmnode="dc=loc2,dc=abc,dc=com"/> node wmmnode="cn=users,dc=intranet,dc=abc,dc=com" defaultParent="Person"/> node wmmnode="cn=groups,dc=intranet,dc=abc,dccom" defaultParent="Group"/> /realm> /realms> </wmmur> Only one default realm is allowed. Make sure you have only one set to true. IBM WebSphere Portal V6 Self Help Guide...
WMM utility called wmm_encrypt.bat/.sh. An alternative to this approach of manually modifying the file wmmWASAdmin.xml using an editor is using the utility updateWmmWASAdminRegistry.bat/.sh. IBM TechNote 1246919 had documented the usage of this utility. The second entry for the same user ID wasadmin allows using the short user ID when starting the application servers and logging in on the Administrative console.
Page 134
Sometimes even though wmmApp is shown as started, WMM could still fail as follows: [8/14/07 15:11:29:188 EDT] 0000000a WSMM Message E com.ibm.ws.wmm.MemberRepositoryManager init Initialization failed due to invalid property "supportedMemberTypes". [8/14/07 15:11:29:203 EDT] 0000000a WSMM Message E com.ibm.ws.wmm.objectimpl.MemberServiceBeanBase ejbCreate() com.ibm.websphere.wmm.exception.InitializationException: Initialization failed due...
Page 135
“WMM startup” on page 120: [8/14/07 15:11:29:672 EDT] 0000000a Servlet E com.ibm.wps.engine.Servlet init EJPFD0016E: Initialization of service failed. com.ibm.wps.util.DataBackendException: EJPSG0015E: Data Backend Problem java.rmi.ServerException: RemoteException occurred in server thread; nested exception is: com.ibm.ejs.container.CreateFailureException: ; nested exception is: java.lang.reflect.InvocationTargetException com.ibm.wps.services.puma.RealmAwareURManager.initRealms(RealmAwareURManager.java:...
[8/12/07 15:32:12:812 EDT] 00000017 WSMM Message E com.ibm.ws.wmm.objectimpl.MemberServiceBeanBase ejbCreate() java.lang.NullPointerException [8/12/07 15:32:12:875 EDT] 00000017 ExceptionUtil E CNTR0019E: EJB threw an unexpected (non-declared) exception during invocation of method "getConfigurationData". Exception data: com.ibm.ejs.container.CreateFailureException: ; nested exception is: java.lang.reflect.InvocationTargetException IBM WebSphere Portal V6 Self Help Guide...
Page 137
Step 4: Enable traces If you suspect the login failed during the WebSphere Application Server authentication phase, you may want to add WebSphere Application Server security trace (com.ibm.ws.security.*) to portal trace strings. One related issue is that multiple persons log in with the same administrator user ID. If these logins are not just for reading or viewing, but try to change some parts of the configuration, it is not supported and potentially can make undesirable results.
Page 138
> com.ibm.wps.engine.commands.LoginUser isAccessToPrivateArea ENTRY [pathData = null, queryData = { PC_7_NO2UF4I118ADC026HKQ8KC2GT1__login = Log in, password = ********, wps.portlets.userid = wpsadmin }, client = Microsoft Internet Explorer 6.0, locale = en, stateMap = null] IBM WebSphere Portal V6 Self Help Guide...
Page 139
Example 4-15. Example 4-15 WMM returned the groups a user belongs to [8/3/07 11:27:54:719 EDT] 00000040 DefaultURMana > com.ibm.wps.services.puma.DefaultURManager findNestedGroupByUser user= id: uid=wpsadmin,ou=people,ou=dept,o=acme.com attributeSubset: [sn, cn, ibm-primaryEmail, uid, givenName, preferredLanguage] memberIdentifier: [uid=wpsadmin,ou=people,ou=dept,o=acme.com / 87d99d40-1f62-102b-8d53-bdbac147b8f0] attributes: {sn=sn:Admin, cn=cn:wpsadmin, ibm-primaryEmail=ibm-primaryEmail:wpsadmin@acme.com, uid=uid:wpsadmin, givenName=givenName:wps, preferredLanguage=preferredLanguage:en}...
Page 140
Here “wpsadmins” is returned, which is the group user “wpsadmin” belongs to. When you see “com.ibm.wps.engine.commands.SessionValidator execute RETURN” is printed in the log, you are sure then that the login process should be over and the process of portlet aggregation and rendering starts.
Page 141
You may also want to check the sizes of the Access Control caches, which can be found in “WP CacheManagertService” in the admin console, and follow the suggestions provided in the white paper, Performance Tuning of Portal Access Control, found at: http://www.ibm.com/developerworks/websphere/library/techarticles/0508_buehler/0508 _buehler.html Although this paper was written for WebSphere Portal Version 5, the principles are still applicable to Version 6 as well.
Page 142
[6/12/07 11:16:37:824 CDT] 0000004d LTPAServerObj E SECJ0373E: Cannot create credential for the user <null> due to failed validation of the LTPA token. The exception is com.ibm.websphere.security.CustomRegistryException: The realm in the token: tamdirprod.mayo.edu:389 does not match the current realm: WMMRealm [6/12/07 11:17:03:153 CDT] 0000004d SecurityColla A...
Page 143
BadPaddingException occurred in this case, and is due to different LTPA keys being used to generate the LTPA token; the failing server could not decrypt the LTPA token. Problems in search of users or groups The Manage Users and Groups portlet plays important roles in validating and assigning Portal Access Control permissions.
Page 144
“groupOfNames”. Never mix them. Multiple “group attribute:member attribute” pairs separated by semicolons. For some LDAP servers, such as IBM Tivoli Directory Server and Microsoft Active Directory, a user entry is automatically assigned an implicit “group attribute” in which all groups the user belongs to would be stored.
Page 145
When configuring WebSphere Application Server security, you can take advantage of this feature if the underlying LDAP has such an attribute. For example, in the case of IBM Tivoli Directory Server, you can specify “ibm-allGroups:uniqueMember;ibm-allGroups:member”. In the case of Microsoft Active Directory, you can specify “mmeberOf:member”.
Page 146
Server] [/wps] [Servlet.LOG]: ServiceManager: VaultService [com.ibm.wps.services.credentialvault.VaultServiceImpl] initializing... [8/17/07 16:45:23:130 EDT] 2934440 WebGroup I SRVE0180I: [WebSphere Portal Server] [/wps] [Servlet.LOG]: ServiceManager: exception initializing service implementation com.ibm.wps.services.credentialvault.VaultServiceImpl: com.ibm.wps.services.credentialvault.exceptions.AdapterManagerException: EJPSK0024E: Vault adapter type AccessManager could not be loaded. IBM WebSphere Portal V6 Self Help Guide...
Page 147
[8/17/07 16:45:23:294 EDT] 2934440 ServletInstan E SRVE0100E: Did not realize init() exception thrown by servlet portal: javax.servlet.UnavailableException: Initialization of one or more services failed. In this case, an expired client certificate caused the system to fail. If there is any message related to the SSL handshake, you need to check the client certificate created when the TAM runtime was configured on WebSphere Application Server.
Page 148
Certificate not Trusted; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not Trusted] Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not Trusted; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not Trusted] IBM WebSphere Portal V6 Self Help Guide...
Page 149
The commonly seen SSL handshake problems are summarized in Table 4-6. Table 4-6 SSL handshake exceptions Error returned possible cause Bad certificate The certificate is not signed by a known trusted CA. Unknown certificate The certificate is not from a known CA chain. Certificate expired The date or time associated with the certificate has passed.
Page 150
IBM WebSphere Portal V6 Self Help Guide...
Web browsers, voice systems, and other pervasive devices. WebSphere Portal Server supports a variety of desktop and mobile browsers. Furthermore, WebSphere Portal Server is a part of the IBM Application Framework for e-business and acts as a front end to Service-Oriented Architecture.
In addition, WebSphere Portal Server leverages the foundation capabilities provided by WebSphere Application Server or WebSphere Process Server (certain restrictions apply). 5.1.2 Portal foundation and framework Although it is usual to refer to WebSphere Portal Server as a single J2EE Enterprise Application, the architecture actually consists of a number of J2EE Enterprise Applications (EAs).
Portal, so that all Portlets can use it. For example, a vendor or customer could write a Search Service, Location Service, or a Mail Service. The following Portal Services are just some that are provided by IBM with WebSphere Portal Server: Administrator Unique Names Mapping Service provides a mechanism for creating URL links between administration portlets, themes, and administrative pages.
Page 155
Cache Manager Service is responsible for managing the different caches used in WebSphere Portal Version 6.0.x. The portal provides two different types of caches: shared and non-shared. The shared caches are cluster aware. This means that deleting an element from the cache on one cluster node results in deleting that element from the corresponding cache instances on all other nodes.
Services-Oriented Architecture in mind, we have been able to continually add new services, which can be used by IBM, our customers and our partners to build more powerful Portlets and Portal applications. When customer requirements demand that the service be available outside the Portal framework, we can leverage WebSphere Application Server's support for J2EE and Web Services standards to execute remote services.
If you use a small heap, then garbage collection will be more frequent but very fast, as there is less memory to search through. With the IBM JVM, the Java heap is preallocated (in terms of native memory) at the maximum heap size, reducing the overall amount of memory available to the system.
Page 158
Note that in addition, when using a Java heap greater than 1 GB with the 1.4.x IBM JVM on AIX, the Java heap will be allocated with mmap() and not malloc().
A Java heapdump analysis may also help. Just-In-Time Compiler (JIT or JITC) By default, the IBM JVM ships with the JIT (Just-In-Time) compiler enabled. JIT effectively offers a performance improvement by replacing some of the commonly used Java methods and objects with highly optimized C and Assembler routines.
Page 160
-XX:MaxNewSize=(50% to 60% of heap) Default size of Permanent Generation -XX:PermSize=512m Maximum Permanent Generation Size -XX:MaxPermSize=768 Ratio of Eden / Survivor Space Size -XX:SurvivorRatio=16 GC Concurrent Collector -XX: +UseConcMarkSweep GC Parallel Collector -XX:+UseParNewGC IBM WebSphere Portal V6 Self Help Guide...
Attention: Incorrectly calculating the various values attributed to the advanced SUN JVM parameters can prevent WebSphere Portal Server from starting up. Always evaluate your parameters in a test or staging environment before undertaking any changes in your production environment. If you experience performance degradation and high %CPU, consider enabling a verbose garbage collection (GC) trace either through the WebSphere Application Server Administrative Console check box or by using the -verbose:gc parameter.
JVM, our advice instead is to divide and conquer (D&C) by implementing WebSphere clustering. Running many JVMs, or cluster members, each with a smaller Web container, will prove beneficial when compared to a single JVM deployment with a large Web container. IBM WebSphere Portal V6 Self Help Guide...
The remaining three additional custom parameters share the same function as their counterparts found in the httpd.conf configuration of the IBM HTTP Server (IHS). 5.2.6 Data source tuning The size and behavior for database connection pools managed by WebSphere are maintained by their associated data source configurations.
Attention: We strongly recommend that you invest the time and effort in tuning either DB2 or Oracle, as defined in the IBM WebSphere Portal Version 6.0 Tuning Guide. For DB2, we found the modifications immediately beneficial, with a Portal response time improvement near 50%.
Page 165
Security cache timeout WebSphere Application Server caches security information related to each authenticated user to save, repeating subsequent User-Registry lookups when a user’s security credential expires. This setting controls how long, in seconds, that information is retained before being discarded. As User-Registry lookups ultimately impact performance, we typically recommend that the security cache timeout be increased from the default value.
To view or modify the Session Management Settings from the WebSphere Application Server Administrative Console, select Servers → Application Servers → WebSphere_Portal → Container Settings → Web Container Settings → Session Management. Table 5-11 on page 153 shows the default and recommended values. IBM WebSphere Portal V6 Self Help Guide...
Table 5-11 Session management settings Parameter Default value Recommended value Session Timeout (idle time) However, the full implication of reducing the HttpSession timeout should be understood. Unlike the LTPAToken timeout setting, which is an absolute timeout value, the HttpSession timeout is based on inactivity and starts to time out each time after a user’s last request. If a user fails to interact with the Portal within the timeout period, the session expires and the user will be advised with the message “Your portal session has timed out because of no activity.
Page 168
Table 5-14 WMM MemberOf parameter Parameter Default value Recommended value groupMembershipAttributeMap Value from Table 5-15 Table 5-15 on page 155 is a summary of the memberOfAttributeName parameters that various LDAP directory servers support. IBM WebSphere Portal V6 Self Help Guide...
Value Active Directory memberOf Novell eDirectory groupMembership IBM Tivoli Directory Server ibm-allGroups Sun ONE Directory Server nsroles a. This attribute is not populated if you add a user to the group through an application other than the Novell eDirectory Administrative Console.
Page 170
Java memory. It also follows that Portal cluster deployments support an accumulative number of entries based on the number of server members participating in the cluster. IBM WebSphere Portal V6 Self Help Guide...
Page 171
Caches may also be shared among all users or maintained on an individual user basis. As this can effect the legitimacy of the caches, we do not recommend modifying the sharing scope of any of the default cache instances. Clustered Portal environments can on occasion experience cache synchronization issues if the Dynamic Cache Replication Service (DRS) is not implemented.
Page 172
I/O, as a separate thread is spawned for each portlet. Table 5-21 on page 159 shows the default and recommended values for the Portlet Container Service. IBM WebSphere Portal V6 Self Help Guide...
Page 173
Table 5-21 Portlet Container Service Parameter Default value Recommended value parallel false true legacy.useParallelRendering false true std.useParallelRendering false true Consult the Information Center for additional parameters that can be modified. PUMA Service The options configured under the PUMA Service affect the performance characteristics of the internal PUMA layer, the function of which is to build a member object associated with a user’s specific attributes.
In this section, we endeavour to share with you some of the techniques commonly used and endorsed by the IBM WebSphere Support Team in determining the root cause of problems and solving the problems. Understanding the components involved with WebSphere Portal Server will greatly help your diagnostic and problem solving skills.
Page 175
AIX standard command-line debugger. You can automate dbx into diagnostic "probes". IBM Support might ask you to obtain and run selected probes, either against a test instance of the troubled application, or against the dump files generated by an application failure.
Page 176
Refer to the IBM Java SDK InfoCenter for more information about using the dbx utility, found http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=/com.ibm.jav a.doc.diagnostics.60/diag/problem_determination/i5os_dbx_sysdump.html JVM hangs Knowing what to do when WebSphere becomes unresponsive will greatly improve your ability to move a problem to a successful resolution. For this reason, we consider the situation when a WebSphere JVM appears to hang on the AIX platform.
In this case, change your focus from what individual threads are doing to what the process as a whole is doing. Refer to Appendix A, “Using IBM tools to find solutions and promote customer self-help” on page 169 for more information about using tools to analyze hangs and crashes.
LDAP, WMM configurations, and so on. Portal login is explained in Chapter 4, “WebSphere Portal security” on page 85. In our environment, we had IBM WebSphere Portal V6 with Active Directory. The login time was a bit long (around 18-20 seconds). We performed a TCP dump and analyzed the dump file and found out that there is a 12 second delay from the LDAP server after a request is sent.
Page 179
Performing these administrative tasks remotely, that is, from another server through an HTTP connection. For more information about how to use XML access and understand the complete process, refer to the IBM Redbooks publication WebSphere Portal Version 6 Enterprise Scale Deployment Best Practices, SG24-7387, found at: http://www.redbooks.ibm.com/redbooks/pdfs/sg247387.pdf...
Page 180
XML configuration interface. Solution: If the access rights of WebSphere Portal are externalized to an external security manager, such as Tivoli Access Manager, make sure that the XML configuration interface virtual resource is not externalized IBM WebSphere Portal V6 Self Help Guide...
Page 181
WebSphere Portal ReleaseBuilder During the staging of follow-on releases of IBM WebSphere Portal, portals, configurations, and artifacts need to be moved between systems. ReleaseBuilder enables the management of release configurations independent of user configurations. Release configuration data can be exported into an XML configuration interface configuration file.
There are lot of third-party tools available for monitoring WebSphere Portal and also some IBM tools, such as IBM Tivoli Composite Application Management (ITCAM) and PV(Performance Viewer).
WebSphere Portal Server administration staff. All of our customers still have access to the IBM traditional world class remote Level 2 defect support teams when required. However, promoting this self-help strategy will enable a staff to be able to effectively and confidently address problems and new requirements in the WebSphere Portal Server environment with increased self-sufficiency.
Perhaps you want to utilize a feature within an IBM product, but do not know where to find the relevant how-to documentation regarding this feature. In addition to the Search feature, ISA provides a Product Information feature that links to product education content by leveraging the IBM Education Assistant tool.
You can then easily create a problem report (PMR) for IBM and attach the collector file at the same time. It is simple to do and yet extremely helpful for expediting a solution from IBM.
Page 186
IBM WebSphere Portal V6 Self Help Guide...
Page 187
Again, for more details about performing the install or upgrade, or details about using ISA’s Updater features, refer to the following links: “The Support Authority: Getting help from the IBM Support Assistant”, found at: http://www.ibm.com/developerworks/websphere/techjournal/0706_supauth/0706_supau th.html The ISA training from the IBM Education Assistant, found at: http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.ibm.iea.isa/...
WebSphere Application Server plug-ins as well. After clicking the Updater tab, click the New Plug-ins link and expand the WebSphere folder, as shown in Figure A-2. Figure A-2 Plug-in list IBM WebSphere Portal V6 Self Help Guide...
Page 189
Next, scroll down and choose the plug-ins listed in Figure A-2 on page 174 and click the Install button to install the WebSphere Application Server and WebSphere Portal Server plug-ins. See Figure A-3. Figure A-3 Install plug-ins Appendix A. Using IBM tools to find solutions and promote customer self-help...
Page 190
Forums are a great place to find answers from the collective WebSphere Portal Server user community. Tools: We recommend to immediately use the Updater to install the IBM Guided Activity Assistant (IGAA). Once the IGAA plug-in is installed, you can launch it directly from the ISA Tools feature.
Service: The service feature can be used to create a PMR through ESR, and also provide the ability to automate log collection. IBM Workplace for Customer Support: If you are using ISA V3.1 and you are a Premium Support Customer, you can launch the IBM Workplace for Customer Support page by clicking on the icon on ISA’s Welcome page.
Page 192
Source) at db2j.ai.j.newCloudscapeSQLException(Unknown Source) at db2j.ai.j.generateCsSQLException(Unknown Source) at db2j.ai.c.<init>(Unknown Source) at db2j.ax.b.<init>(Unknown Source) at db2j.aw.c.<init>(Unknown Source) Using this information, let us use the ISA Search feature to see what we can find. IBM WebSphere Portal V6 Self Help Guide...
Page 193
Google Product Information Centers Since the error is occurring on WebSphere Portal Server V6.0.x, we have limited the IBM Software Support Documents search to only WebSphere Portal Server. In addition, we are only searching the WebSphere Portal Server V6.0 InfoCenter, as shown in Figure A-6. Once again, this showcases the power of ISA’s Search feature, as you can narrow or broaden the...
Page 194
Figure A-7. Figure A-7 Initial search results As you can see in Figure A-7, the search returns items from each repository and lists the search results out separately. IBM WebSphere Portal V6 Self Help Guide...
Page 195
As you see in Figure A-8, we now have one result under IBM Software Support Documents. Let us check that result first since it is searching TechNotes. So we click the result under IBM Software Support Documents and it shows the search results in the right hand pane, as shown in Figure A-9.
For further details about the individual features offered by ISA, refer to the document, “The Support Authority: Getting help from the IBM Support Assistant”. The particularly useful guide can be found at: http://www.ibm.com/developerworks/websphere/techjournal/0706_supauth/0706_supauth. html Use case examples - Product Information...
Use case examples - Tools The Tools feature can be used to access some of the same tooling that IBM Level 2 support uses to troubleshoot problems. To gain access to the available tools, you must first install the individual tool plug-ins by using the Updater feature.
Figure A-11. Figure A-11 Available tools For further details about the individual features offered by ISA refer the document, “The Support Authority: Getting help from the IBM Support Assistant”, found at: http://www.ibm.com/developerworks/websphere/techjournal/0706_supauth/0706_supauth. html Use case examples - Service...
Page 199
If you are unsure, select Portal General Problem. If additional collection scripts are needed, the Level 2 support engineer who takes ownership of your PMR will provide further instructions on the specific script to be run to collect the logs. Appendix A. Using IBM tools to find solutions and promote customer self-help...
Page 200
Attention: Following this approach to attach the logs during PMR submission will greatly increase the ability for the Level 2 support engineer to immediately begin work on your PMR. In most cases, following this approach will also result in much quicker problem resolution. IBM WebSphere Portal V6 Self Help Guide...
Page 201
<collector>.jar is created on the ISA machine, move it to the remote WebSphere Portal Server machine and run it there. Create the Portable Collector by clicking the Create Portable Collector option. Appendix A. Using IBM tools to find solutions and promote customer self-help...
Page 202
Once the log collection is complete, move the zip file from the remote WebSphere Portal Server machine locally to the ISA machine. IBM WebSphere Portal V6 Self Help Guide...
IBM support site The WebSphere Portal Server support site is the backbone of the IBM customer self-help tools. The IBM support sites are designed to be the main Web resource for support issues for a given product. How does the support site help IBM software solutions provide and maintain a series of Web pages that are designed to offer information, guidance, and direction to interested readers.
Page 204
IBM support information. Across the top is the familiar breadcrumb trail that is useful in navigating through the layers of IBM Web pages, as shown in Figure A-14.
Page 205
WebSphere Portal and other associated IBM software solutions. The link to the IBM Education Assistant (a companion to the IBM Support and Guided Activity Assistants) offers collections of education modules and materials useful for many levels of experience.
Page 206
This is our interface to numerous datasources across the IBM sites and is the easiest way to use the page to meet your needs. Search results are provided with an indication of relevancy and even by date.
Page 207
From the results page (Figure A-18), one can reach the Advanced search page, which is especially useful when one needs to discriminate the results by version, edition, platform, or other means. Appendix A. Using IBM tools to find solutions and promote customer self-help...
Page 208
Each of the items above is self-explanatory and can be used to tailor your results to meet your needs. For more information describing the components shown in number 3’s list above, refer to the TechNote “Explanation of Functional Areas and Components of IBM WebSphere Portal and WebSphere Portal Express, version 6.0”...
Page 209
IBM or open a PMR. The Information to include link opens up the TechNote “MustGather: Read first for IBM WebSphere Portal”...
Page 210
Figure A-24 Other valuable resources These links found in this section are of particular importance to Self-Help interests: WebSphere Portal catalog: A collection of portlets provided by IBM and other vendors, offering solutions to business integration needs, technology introductions, and example/reference portlets to use in your environment.
Complete information about WebSphere Portal Server communities can be found at the developerWorks site at this link: http://www.ibm.com/developerworks/community/ Bookmark this page, as it should serve as your main entry point into the world of IBM online community resources. To get started using IBM communities, begin with the page “New to developerWorks Community”.
Use the following link as a step-by-step guide to understanding how to introduce RSS into your environment: http://www-306.ibm.com/software/support/rsshelp.html To learn more about the RSS feeds available from IBM, access the IBM developerWorks site http://www.ibm.com/developerworks/rss/ IBM WebSphere Portal V6 Self Help Guide...
It is one place that leads you to the most accessed supported pages regardless of what IBM products you are using. It allows you to quickly search your choice of content residing on several of IBM's servers using the search capabilities from wherever you are on the Web.
Page 214
Search button Enter the desired search string directly into the text box on the toolbar and then click the Search button to search across all of IBM support, or narrow it to a specific product, as shown in Figure A-25.
Page 215
Quick access to product specific software and support pages Quick access to newsgroups and forums Quick access to training and certification roadmaps Quick access to the IBM Education Assistant and other learning resources Appendix A. Using IBM tools to find solutions and promote customer self-help...
IBM Education Assistant is a collection of multimedia educational modules designed to help you gain a better understanding of IBM software products and use them more effectively to meet your business requirements. Modules consist of the following types of content: Presentations (many with audio): Provide an overview of a product or technology or a more in-depth look at a particular product component or feature.
Figure A-28 IBM Education Assistant main page Best practices When first beginning a new project, get into the habit of accessing the IBM Education Assistant to see if any content currently exists for the scenario or procedure you are about to perform.
Figure A-29 IBM Education Assistant Portal content IBM Guided Activity Assistant (IGAA) The IBM Guided Activity Assistant (IGAA) is a new tool that brings together all three of these support elements (information, tools, and processes) to help you solve problems in an easier and more consistent manner.
IBM support representatives. IGAA will quickly bundle up the information you have already gathered and send that information up to IBM Support, who can then pick up right where you left off, saving a significant amount of information gathering time.
To launch IGAA, open ISA and go to the Tools feature and select the IBM Guided Activity Assistant (IGAA) tool. See Figure A-30. Important: If you have not installed the IGAA tool plug-in, you will need to do so through the ISA Updater feature before you can access IGAA through ISA.
Stop the Deployment Manager node. Make a file system backup of the Deployment Manager node. Make a database backup of all the databases associated with WebSphere Portal. Restart the Deployment Manager. IBM WebSphere Portal V6 Self Help Guide...
Important: XMLAccess does not play a part in our backup approach. XMLAccess is not a tool that is designed for full backup purposes. XMLAccess is a tool designed for deploying Portal artifacts from one Portal environment to another Portal environment. For example, you can use XMLAccess to move Portal artifacts from your staging environment into your production environment once the Portal configuration has been thoroughly tested in the staging environment.
Make backup copies of the wpconfig.properties file. In fact, make multiple copies and keep them in multiple places. – It takes time to configure the file correctly. Once done, you do not want to do it again. IBM WebSphere Portal V6 Self Help Guide...
(APAR) is created to document the issue. The IBM Software Support Handbook (http://techsupport.services.ibm.com/guides/handbook.html) defines an APAR as: “A formal report to IBM development, of a problem caused by a suspected defect in a current unaltered release of an IBM program. An APAR may also be used by development to document new function being delivered in the maintenance stream.”...
Page 226
Fix Pack This is the standard delivery for updates; it has been fully regression tested by IBM prior to release. A Fix Pack is a cumulative package of only fixes, such as V6.0.1.1, unless otherwise noted.
Guidance is provided from IBM support showing the current list of recommendations for WebSphere Portal in the TechNote “Recommended fixes and updates for WebSphere Portal” (#7007603). Customers are recommended to use this as a foundation for understanding which service release level to use in their environment, and which Interim Fixes are considered to be critical in nature, to prevent rediscovering problems already corrected.
(QA) testing. For example, if the production environment runs on a clustered series of servers running IBM AIX, then a staging or QA environment should also have a cluster of servers on AIX.
Our approach to fixes If you report a defect to IBM support, an APAR is opened and a fix is prepared, and it is tested by IBM to ensure it works as intended. In some cases, such as a rare configuration or in an unusual integration with an application or custom content not available to IBM support, a test fix might be provided before the fix is made generally available.
Page 230
WebSphere Portal also ships with a variety of portlets available and installed for your use, if desired. Most of these portlets will make their updates available from the IBM WebSphere Portal Business Solutions catalog found at: http://catalog.lotus.com/wps/portal/portal The current versions of portlets, such as the Web Page or Web Clipping portlet, can be found by searching on the portlet’s name on the catalog’s main page, as shown in Figure B-1.
Page 231
When getting the fix from Fix Central, this complexity is handled by IBM by putting all of the required fixes together in one package for easy retrieval and installation.
Only then should an emergency fix be applied to the production environment to correct the specific problem. Install IBM Support Assistant (see “IBM Support Assistant (ISA)” on page 170) on your administrative workstation and use it as your primary self-help interface, along with the product support page, the user forum, and other resources discussed in this Redpaper to identify fixes you need in your environment.
Support Assistant’s Remote Log Collector utility (http://www-306.ibm.com/software/support/isa/) to capture the diagnostic data and log files necessary to find the root cause of the problem. Appendix A, “Using IBM tools to find solutions and promote customer self-help” on page 169 contains the details about best practices for using the IBM Support Assistant.
(DB2) and configured to use the same type of LDAP (or other third-party authentication tool). If, for example, the source WebSphere Portal Server is using IBM Tivoli Directory Server as the user repository in the source portal, you will need to configure the target server to use the same type of LDAP with the same user repository data.
Portal Server and see the same pages and portlets on the target system as were on the source. The following is a link to the IBM WebSphere Portal Server Version 6.0 InfoCenter that provides some general advice for migration verification: http://publib.boulder.ibm.com/infocenter/wpdoc/v6r0/topic/com.ibm.wp.ent.doc/wpf/m...
WAR file, one at a time, with a nullpointer until the all of the WAR files are found. Anonymous user ACLs It is possible in IBM WebSphere Portal V5.1 to assign the anonymous virtual user a role on an item greater than USER. If this is done, the migration import will fail, because this is...
IBM WebSphere Portal V6.0 and above. You will need to remove the offending ACL from the source portal and rerun the export and restart the import. Missing users from the LDAP If users have been removed from the LDAP that the portal is using but not removed from the portal, these users will appear in the export and they will cause a problem when the migration tries to import them.
AutoPD tool or the through the IBM Support Assistant following the directions found at: http://www-1.ibm.com/support/docview.wss?uid=swg21246134 Details about using the IBM Support Assistant are in Appendix A, “Using IBM tools to find solutions and promote customer self-help” on page 169. What is next: typical next steps After the migration is complete, you can continue with the setup of your WebSphere Portal Server as though it was a new WebSphere Portal Server configuration.
IBM Redbooks publications For information about ordering these publications, see “How to get IBM Redbooks publications” on page 225. Note that some of the documents referenced here may be available in softcopy only.
Page 240
IBM WebSphere Portal V6 Self Help Guide...
Self Help Guide Redpaper ™ This IBM Redpaper focuses on considerations for the optimal INTERNATIONAL configuration and use of IBM WebSphere Portal Server. We provide you recommendations for TECHNICAL with the information you need to deploy and manage your WebSphere optimal configuration SUPPORT Portal infrastructure, with the goal of problem avoidance.