Application (Weblogic)  server installed in DomainApp.com
Application  Users created in all 3 domains.
Service users for LDAP and SSO created in each domain.
Important:   KRB Principal should all have the same passwords, key version numbers, and encryption types.
sso user: ssoApp@domainapp.com pass:Pumpkin1App
sso user: ssoB@domainb.com pass:Pumpkin1App
sso user: ssoA@domaina.com pass: Pumpkin1App

DNS resolution need to be in place.

LDAP

Weblogic configured with 3 LDAP authentications. Order is important. If you put asserter before DomainB, domainB will do only LDAP.

SSO

SSO command run on each DC:
DCNL03.domainApp.com
Setspn:  setspn -A HTTP/v11con01.domainapp.com ssoApp
Ktpass run: ktpass   -out SSOKeyTabFile  -kvno 0 -princ HTTP/v11con01@DOMAINAPP.COM -mapuser ssoApp -pass Pumpkin1App  -crypto RC4-HMAC-NT
Ssokeytab collected (out SSOKeyTab) and we will use it for our Weblogic.
Full output of ktpass command :

DCNL01.domaina.com
Setspn:  setspn -A HTTP/v11con01.domainapp.com ssoa
Ktpass run: ktpass   -kvno 0 -princ HTTP/v11con01@DOMAINAPP.COM -mapuser domain\ssoa -pass Pumpkin1App  -crypto RC4-HMAC-NT

DCNL02.domainb.com
Setspn:  setspn -A HTTP/v11con01.domainapp.com ssob
Ktpass run: ktpass   -kvno 0 -princ HTTP/v11con01@DOMAINAPP.COM -mapuser domainb\ssob -pass Pumpkin1App  -crypto RC4-HMAC-NT

Files for SSO created on application server

Krb5.ini (Located in C:\Winnt)

krb5login.conf

SSOKeyTabFile (generated on the first DC)

After deploying our application we can test sso:

Tickets from workstation in domaina.com

Tickets from workstation in domainApp.com

Tickets from workstation in domainB

Natalya (natalya.luke@gmail.com)

ClassLoader is the central entity of Java Virtual Machine. It is responsible for loading the classes into the JVM.

The ClassLoader class uses a delegation model to search for classes and resources. Each instance of ClassLoader has an associated parent class loader. When requested to find a class or resource, a ClassLoader instance will delegate the search for the class or resource to its parent class loader before attempting to find the class or resource itself. The virtual machine’s built-in class loader, called the “bootstrap class loader”, does not itself have a parent but may serve as the parent of a ClassLoader instance.

There are few basic classloaders:

1. Bootstrap classloader : It is JVM’s built in classloader that loads core classes like java.lang etc. The bootstrap class loader uses the boot class path (typically classes in jre/lib) to find and load classes.
2. System classloader: Loads the classes in the java classpath
3. A WebSphere extensions class loader : Loads the classes from ws.ext.dirs class path
4. Application classloaders : Used by the enterprise applications to load classes from the application itself for ex. Jar files, ejb modules etc.
5. Zero or more Web module class loaders : These loads the contents from  WEB-INF/classes and WEB-INF/lib directories.

Troubleshooting classloading issues in any environment is an invariably tedious process.

There could be exceptions like ClassNotFoundException Exceptions, NoClassDefFoundErrors in your application. You can use the approaches to troubleshoot these issues

1. Using the classloader viewer:

WebSphere has a very good built tool to view class loaders visible to a Web module (.war file) or enterprise bean (.ejb file) in an installed enterprise application. It helps you to determine which class loaders loaded files of a module and to diagnose problems with class loaders.

To access the same, you need to click on the <Server-Name>  –> Under the Additional properties tab –> Click on the ‘Class Loader Viewer Service’

Enable the checkbox  as below:

This would require restart of the server.

Then you can view the detailed report by navigating to  Troubleshooting tab from the left panel  –> Class Loader Viewer  –>  Select the application you would like to monitor.

2. You can enable the verbose classloading on the server:

It specifies whether to use verbose debug output for class loading. The default is not to enable verbose class loading.

Login into the WebSphere Admin console –> Click on the server on which you want to enable verbose classloader –> Click on Process Definition  under the Server Infrastructure management –> Click on Java Virtual Machine –> Enable the Verbose Class loading option.

3:  Another way you can debug classloader issues is to enable debug for “com.ibm.ws.classloader.*”.

Click on the Server –>Click on the Change Log Detail Levels and define the class on which you would like to enable the logging level.

Further reading:

http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?topic=/com.ibm.iea.was_v6/was/6.0/Runtime/WASv6_ClassLoader_PD/player.html

Cheers,

Team Wonders.

/14/12 10:26:26:835 EDT] 00000013 TCPPort E TCPC0003E: TCP Channel SIB_TCP_JFAP initialization failed. The socket bind failed for host xxx.xxx.xxx.xxx and port 7276. The port may already be in use.
[9/14/12 10:26:26:875 EDT] 0000001c TCPPort E TCPC0003E: TCP Channel SIB_TCP_JFAP_SSL initialization failed. The socket bind failed for host xxx.xxx.xxx.xxx and port 7286. The port may already be in use.

[ERROR] Cannot create writer connection: Failed to create JMS connection: CWSIA0241E: An exception was received during the call to the method JmsManagedConnectionFactoryImpl.createConnection: com.ibm.websphere.sib.exception.SIResourceException: CWSIT0006E: It is not possible to connect to bus XXX_BUS because the following bootstrap servers could not be contacted [xxx.xxx.xxx.xxx:7286:SecureMessaging] and the following bootstrap servers returned an error condition []. See previous messages for the reason for each bootstrap server failure..Exception Stack: javax.jms.JMSException: CWSIA0241E: An exception was received during the call to the method JmsManagedConnectionFactoryImpl.createConnection: com.ibm.websphere.sib.exception.SIResourceException: CWSIT0006E: It is not possible to connect to bus BML_BUS because the following bootstrap servers could not be contacted [xxx.xxx.xxx.xxx:7286:SecureMessaging] and the following bootstrap servers returned an error condition []. See previous messages for the reason for each bootstrap server failure..
at com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.createConnection(JmsManagedConnectionFactoryImpl.java:240)
at com.ibm.ws.sib.api.jms.impl.JmsQueueConnectionFactoryImpl.createQueueConnection(JmsQueueConnectionFactoryImpl.java:152)
at com.ibm.ws.sib.api.jms.impl.JmsQueueConnectionFactoryImpl.createQueueConnection(JmsQueueConnectionFactoryImpl.java:116)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection$PlginJMSQueueConnection.createConnection(PlginJMSConnection.java:375)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection.(PlginJMSConnection.java:90)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection$PlginJMSQueueConnection.(PlginJMSConnection.java:352)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection.create(PlginJMSConnection.java:115)
at com.informatica.powerconnect.jms.server.writer.JMSWriterConn.init(JMSWriterConn.java:93)
Caused by: com.ibm.websphere.sib.exception.SIResourceException: CWSIT0006E: It is not possible to connect to bus XXX_BUS because the following bootstrap servers could not be contacted [xxx.xxx.xxx.xxx:7286:SecureMessaging] and the following bootstrap servers returned an error condition []. See previous messages for the reason for each bootstrap server failure.
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.bootstrapRequest(TrmSICoreConnectionFactoryImpl2.java:608)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.remoteBootstrap(TrmSICoreConnectionFactoryImpl2.java:405)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.createConnection(TrmSICoreConnectionFactoryImpl2.java:240)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.createConnection(TrmSICoreConnectionFactoryImpl2.java:145)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createCoreConnection(JmsJcaConnectionFactoryImpl.java:563)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createCoreConnection(JmsJcaConnectionFactoryImpl.java:499)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createConnection(JmsJcaConnectionFactoryImpl.java:312)
at com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.createConnection(JmsManagedConnectionFactoryImpl.java:206)
… 7 more
Linked Exception Stack: com.ibm.websphere.sib.exception.SIResourceException: CWSIT0006E: It is not possible to connect to bus XXX_BUS because the following bootstrap servers could not be contacted [xxx.xxx.xxx.xxx:7286:SecureMessaging] and the following bootstrap servers returned an error condition []. See previous messages for the reason for each bootstrap server failure.
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.bootstrapRequest(TrmSICoreConnectionFactoryImpl2.java:608)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.remoteBootstrap(TrmSICoreConnectionFactoryImpl2.java:405)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.createConnection(TrmSICoreConnectionFactoryImpl2.java:240)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.createConnection(TrmSICoreConnectionFactoryImpl2.java:145)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createCoreConnection(JmsJcaConnectionFactoryImpl.java:563)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createCoreConnection(JmsJcaConnectionFactoryImpl.java:499)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createConnection(JmsJcaConnectionFactoryImpl.java:312)
at com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.createConnection(JmsManagedConnectionFactoryImpl.java:206)
at com.ibm.ws.sib.api.jms.impl.JmsQueueConnectionFactoryImpl.createQueueConnection(JmsQueueConnectionFactoryImpl.java:152)
at com.ibm.ws.sib.api.jms.impl.JmsQueueConnectionFactoryImpl.createQueueConnection(JmsQueueConnectionFactoryImpl.java:116)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection$PlginJMSQueueConnection.createConnection(PlginJMSConnection.java:375)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection.(PlginJMSConnection.java:90)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection$PlginJMSQueueConnection.(PlginJMSConnection.java:352)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection.create(PlginJMSConnection.java:115)
at com.informatica.powerconnect.jms.server.writer.JMSWriterConn.init(JMSWriterConn.java:93)

This was identified to be an issue with the dns name. When we fixed that it resolved the issue.
Wonders Team!

In this example, I use the Default Website that is installed with IIS. So the above files are copied into its root directory, which is C:\Inetpub\wwwroot\ >  (NOTE, for a smooth working of the configuration, always copy the iisforward.dll and iisproxy.dll into the root directory of the WebSite. Otherwise, loading module, iisforward.dll will fail due to permission issues)

The iisproxy.ini has the following parameters:

WebLogicHost=<dns name or ip addgress>

WebLogicPort=<litening port for WLS>

WlForwardPath=/examplesWebApp

WlForward is the web application you want to proxy to in this example, If all web applications are to proxy to WebLogic Server just use WlForwardPath=/

Debug=ALL

Optional and used to collect debug information.  It is logged by default in c:\TEMP\wlproxy.log

DebugConfigInfo=ON

DebugConfigInfo is also is only used for debugging, the default is OFF.

Also note the WebLogicCluster=myweblogic.com:7001,yourweblogic.com:7001 line if you are using clusters.  This replaces the WebLogicHost and WeLogicPort entries.

(See  http://docs.oracle.com/cd/E23943_01/web.1111/e14395/plugin_params.htm for complete parameter list)

So just to get started all that needs to be in the issproxy.ini is the following when proxying is done by the Web Application name, if proxying exclusively by mime type (e.g.; .jsp) WlForwardPath does not need to be specified in the iisproxy.ini

NOTE: This is case sensitive

WebLogicHost=<dns name or ip address>

WebLogicPort=<listening port for WLS>

WlForwardPath=/examplesWebApp

This is a sample output from the directory/folder that the iisproxy.dll, iisforward.dll and iisproxy.ini is placed

Directory of C:\inetpub\wwwroot

10/02/2012  12:03 AM    <DIR>          .

10/02/2012  12:03 AM    <DIR>          ..

10/02/2012  12:06 AM           20,480 iisforward.dll

10/02/2012  12:06 AM          626,176 iisproxy.dll

10/02/2012  12:06 AM               182 iisproxy.ini

10/02/2012  12:09 AM               689 iisstart.htm

10/02/2012  12:09 AM               168 web.config

10/02/2012  12:09 AM           184,946 welcome.png

6 File(s)        832,641 bytes

2 Dir(s)  15,052,578,816 bytes free

And here is how it looks from IIS 7.0 (Default Web Site à content View)

Note: I am using the Default Web Site in this example.

If you do not have IIS 7.0 installed in your Windows Server 2008, follow the instructions in the below link to install IIS7.0

http://learn.iis.net/page.aspx/29/installing-iis7-on-windows-server-2008/

Now configure IIS 7.0

Before you configure IIS 7.0, make sure IIS 7.0 is installed with ISAPI Filters and ISAPI Extensions. If installed then Default Web Site à Features View should look like below:

If you do not see the ISAPI Filter icon in the Feature View, go to “Server Manager”, in thee left pane under Roles, click on Web Server (IIS)

Then click on “Add Role Services” on the Right pane.

Then check “ISAPI Filters” and “ISAPI Extensions” and click “Next” and then click on Install

Now go back to IIS 7.0 and click on Default WebSite as shown below:

Click on ISAPI filters icon in Features View.

In the right pane click on Add

Enter any name of your choice for filter name

Click browse (…) and selects iisforward.dll from C:/inetpub/wwwroot and then ok

Next go back to Default Web Site, click on “Handler Mappings”

Click on the ‘Add Script Map…’ on the right hand side menu options. Enter * for the Request path. Browse to the iisproxy.dll file and add it as the executable. Name it as  ‘proxy’.

Click on the Request Restrictions… button and uncheck the box titled ‘Invoke handler only if the request is mapped to’.

Click Ok to add this Handler mapping. Click ‘Yes’ on the Add Script Map dialog box.

Similarly, if you want to configure proxying by path click on Add Script Map and give the Request path as ‘.wlforward’ and select the executable as iisproxy.dll.

Click on the Request Restrictions… button and uncheck the box titled ‘Invoke handler only if the request is mapped to’.

Click Ok to add this Handler mapping. Click ‘Yes’ on the Add Script Map dialog box.

Click on the Root node of the IIS Manager tree and click on the ISAPI and CGI Restrictions.

Then click on “Edit Feature Settings” on the right hand side menu options

Check the ‘Allow unspecified ISAPI modules’ checkbox and click Ok

Restart IIS. Go to Default Web site and click on Restart on the right hand side menu.

Now access the Example web-application through IIS at http://localhost/examplesWebApp

We can do that by using the DD Model as Custom Roles and Polcies and Defining the URL Pattern Scoped Policies.

The screenshots below will give an idea. If you have any queries feel free to let us know.

1.Deploy the application using DD Model as Custom Roles and Policies

Create a new user testuser

Go to

Deployments > TestApp > Security > URL Patterns > Roles

Click new and provide url pattern as /protected/* and role as testrole

Click on the testrole and add user testuser to the role condition. Remember to save!

Go to

Deployments > TestApp > Security > URL Patterns > Policies

Create a new policy /protected/* and add testrole to that policy.

These are the important questions that I cover while interviewing.

1. How do you differentiate between a server hang and server crash issue?

When a Server crahes, the JAVA process no longer exists. When the Server is hung, it stops responding.
We can use the weblogic.ADMIN utilty to ping the server. In case of a hang situation we can take multiple thread dumps and analyze the cause of hang.

2. What can be the various reasons for a server crash?

a) Native IO
b) SSL Native Libraries
c) JVM
d) Supported Configuration
e) JDBC Driver issue

3. How do you troubleshoot a crash?

JVM crash generates a hs_err_pid file. We need to look into the stack trace of the hs_err_pid file .
If the thread is from a native io, we need to disable native io.
if the stack trace is from the driver, we need to get in touch with the drive team.
Quite possibly its a problem with driver. Changing the type of driver can be a workaround.
If the thread shows it coming from an optimzed code, we can turn of optimization.
If the stack is from native calls of application, its a bug with the application and it has to b modified.

4. Ho do you troubleshoot Server Hang?

We can use java weblogic.Admin PING to check if we get a normal response.
We need to take multiple thread dumps with kill -3 pid on unix and CTLR Break on Windows.
Analyze the thread dump to find the root cause.

5. What can be the reasons of Server hang?

Memory leak, databse query taking a long time to return, Deadlock.

6. What is memory leak?

Memory leak is when objects are not romved from the heap even when they are not required.

7. What are the various causes for OUT OF MEMORY?

a) Insufficient heap size, not able to match the extra load.
b) Objects licing too long, like HTTP Sessions.
c) Memory leak in application code.
d) Full GC not happening due to JVM Bug.

8. How to troubleshoot and overcome such issues?

Gather memory data by enabling GC verbose.
If its due to Http Session, timing out http session after certain interval might help.
Look into the code for jdbc connection handling.
Optimizing the heap size according to the load.

9. When does High CPU Usage occur?

It occurs when one process or one thread utilizes unexpectedly high proportion of CPU.

10. How to troubleshoot it?

In Solaris environment, we need to take pstack and prstack and see what the threads are doing.
In Windows we need to use pslist and process explorer.

11. What is Clustering and what is achieved through it?

Clustering is the grouping together of servers for the purpose of high availability and scalability.
Load balancing and Failover is achieved.

12. How does Cluster Communication Happen?

Members of the Cluster communicate over the Cluster Multicast IP and Port by sending periodic heart beat messages.

13. What is the difference between the Sun JVM and BEA JRockit JVM?

The most well know JVM is the implementation from Sun. The Sun JVM is called HotSpot. The Sun JVM is shipped in the Java Developer’s Kit (JDK) and Java Runtime Environment (JRE) from Sun.

The BEA JRockit JVM from BEA systems is optimized for reliability and performance for server side applications. To achieve this, BEA JRockit JVM uses technologies such as code generation, hot spot detection, code optimization, advanced garbage collection algorithms and tight operating system integration.

14. TUning JVM Parameters.

If you have a single processor, single thread machine then you should use the serial collector (default for some configurations, can be enabled explicitly for with -XX:+UseSerialGC). For multiprocessor machines where your workload is basically CPU bound, use the parallel collector. This is enabled by default if you use the -server flag, or you can enable it explicitly with -XX:+UseParallelGC. If you’d rather keep the GC pauses shorter at the expense of using more total CPU time for GC, and you have more than one CPU, you can use the concurrent collector (-XX:+UseConcMarkSweepGC). Note that the concurrent collector tends to require more RAM allocated to the JVM than the serial or parallel collectors for a given workload because some memory fragmentation can occur.

15. How do you do performance tuning of WLS?

It can be categorized in 4 parts.
a. Application Tuning.
jsp precompilation, ejb pool size cache..

b. OS Tuning

Setting tcp ip parameter.
tcp_time_wait_interval
tcp_conn_req_max_q

c. Core Server Tuning.

tune workmanager, tune chuck size and chunck pool size, using performance packs, conenction backlog buffering.

d. JVM Tuning
tuning gc strategy, monitoring garbage collection..

“A Web Service is a system designed to support interoperable communication from machine to machine over a network. It includes an interface described in a machine-processable format (WSDL), and is typically conveyed using HTTP with XML serialization.”
Webservices exist in a wide range of architecture, technologies and software design. They provide an interaction mechanism between Business to Business applications. Webservices rely on SOAP Protocol for the interaction between the B2B applications. SOAP is and XML Based protocol that uses HTTP as its base transport protocol. Following is an example of a SOAP Request and SOAP Response

REQUEST

POST /SecureHelloWorldService/SecureHelloWorldService

HTTP/1.1 User-Agent: BEA WebLogic Server 10.3.0.0

Content-Type: text/xml; charset=utf-8 SOAPAction: “”

Host: 127.0.0.1:7000

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive Content-Length: 187

 

<env:Envelope xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/”>

<env:Header />

<env:Body>

<m:sayHello xmlns:m=”http://www.bea.com”>

<m:s>World</m:s>

</m:sayHello>

</env:Body>

</env:Envelope>

RESPONSE

HTTP/1.1 200 OK Date: Tue, 24 Jan 2012 06:15:42 GMT

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8

SOAPAction: “” X-Powered-By: Servlet/2.5 JSP/2.1

 

<env:Envelope

xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/”>

<env:Header />

<env:Body>

<m:sayHelloResponse xmlns:m=”http://www.bea.com”>

<m:return>Hello World</m:return>

</m:sayHelloResponse>

</env:Body>

</env:Envelope>

 

Webservices Security

For a secure environment data exchange cannot happen in clear text as sensitive information might be exchanged. Also securing the communication channel for all communication is an overhead and might not be acceptable in all scenarios. Hence many specifications exist which allows to secure the data exchanged. One such framework is WS-Policy which defines how secure messages can be exchanged. To demonstrate this I have secured the above Webservice using standard policies and captured the SOAP Request and SOAP Response

@Policies({    @Policy(uri=”policy:Auth.xml”, direction=Policy.Direction.inbound),    @Policy(uri=”policy:Sign.xml”),    @Policy(uri=”policy:Encrypt.xml”)})

The message body is encrypted

<env:Body wsu:Id=”Body_FE10KgY262Y31ZRm” xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>

<ns1:EncryptedData Id=”3ZpXu9BlqgQNKF4s” Type=”http://www.w3.org/2001/04/xmlenc#Content” MimeType=”text/xml” Encoding=”UTF-8″ xmlns:ns1=”http://www.w3.org/2001/04/xmlenc#”> <ns1:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc” /> <ns1:CipherData> <ns1:CipherValue> T7MoCfhyDwXRjLrpRhZ62es3qK2jhTbY2ReS1ZSWhRaBidi8DwW5EbzNQKgudtPa8m7zxkW/ljebMV5dSvIZrJC1o+6peC111iFgPC4jMyA= </ns1:CipherValue>

</ns1:CipherData>

</ns1:EncryptedData>

</env:Body>

In addition to this, security tokens need to be passed for authentication and authorization purpose.

Username Password Token

<wsse:UsernameToken wsu:Id=”unt_CQbnapvDgXSDnTtZ” xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”> <wsse:Username>weblogic</wsse:Username>

<wsse:Password Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText”> weblogic </wsse:Password>

</wsse:UsernameToken>

Binary Security Token

<wsse:BinarySecurityToken wsu:Id=”bst_MIWyV2RKFBlLh9AT”xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3″EncodingType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>MIICYTCCAgugAwIBAgIQsAtcv4jhs9Rpsu6m…..

…………………………………………………………………………………xuT69jAN

BgkqhkiG9w0BAQQFADB5MQswCQYDVQQGEwJVUzEQM

/wsse:BinarySecurityToken>

 

Following is the lists of supported tokens that can be used for authentication and authorization purposes

Lists of tokens (Table 1)

Table 1

Key Exchange using WS-Trust

In the model above it’s the responsibility of the server to validate the tokens, signatures and perform authentication and authorization. This again can be an overhead, especially if the numbers of clients are very high. Also if the client is not known to the Service, it becomes difficult to establish a trust with the client. To address this situation WS-Trust standard has been adopted.  In this model, the responsibility of establishing the trust has been assigned to a third party. Clients request for a Security Token from a Secure Token Server (STS). Once they get the token, they present the token to the Service. The exchange mechanism and standard format of the token has been provided in WS-Trust specification.  In my test, I used opensso (an open source STS Server) and captured the request-response interaction as depicted in Figure below.



1)Client requests for a Security token to a Secure Token Server

<soap:Envelope  xmlns:wsa=”http://schemas.xmlsoap.org/ws/2004/08/addressing”  xmlns:wsu=”http://schemas.xmlsoap.org/ws/2002/07/utility”  xmlns:wsse=”http://schemas.xmlsoap.org/ws/2002/12/secext”  xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”>

<soap:Header>      <wsa:To>http://demo</wsa:To>

<wsse:Security soap:mustUnderstand=”1″>  ….      </wsse:Security>    </soap:Header>    <soap:Body wsu:Id=”Id-d7fceab4-62ed-45fb-bc09-69310ff1712e”>      <wsse:RequestSecurityToken>        <wsse:TokenType>wsse:SecurityContextToken</wsse:TokenType>        <wsse:RequestType>wsse:ReqIssue</wsse:RequestType>        <wsp:AppliesTo xmlns:wsp=”http://schemas.xmlsoap.org/ws/2002/12/policy”>          <wsa:EndpointReference>            <wsa:Address>http://localhost:7001//SecureHelloWorldService/SecureHelloWorldService</wsa:Address>          </wsa:EndpointReference>

</wsp:AppliesTo>

</wsse:RequestSecurityToken>    </soap:Body>

</soap:Envelope>

2)Secure Token Server provides the token to the Client.

<soap:Envelope xmlns:wsa=”http://schemas.xmlsoap.org/ws/2004/08/addressing”  xmlns:wsu=”http://schemas.xmlsoap.org/ws/2002/07/utility”  xmlns:wsse=”http://schemas.xmlsoap.org/ws/2002/12/secext”  xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”>

<soap:Header>      <wsse:Security soap:mustUnderstand=”1″> ….

</wsse:Security>

</soap:Header>    <soap:Body wsu:Id=”Id-aa53632b-2211-46c8-451-4234b12ecf834″>

<xenc:EncryptedData xmlns:xenc=”http://www.w3.org/2001/04/xmlenc#”>        <xenc:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc” />        <xenc:CipherData>          <xenc:CipherValue>…

</xenc:CipherValue>

</xenc:CipherData>

</xenc:EncryptedData>

</soap:Body>  </soap:Envelope>

3)Using the token, the service is invoked.

<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”  xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”  xmlns:xsd=”http://www.w3.org/2001/XMLSchema”  xmlns:wsa=”http://schemas.xmlsoap.org/ws/2004/08/addressing”  xmlns:wsu=”http://schemas.xmlsoap.org/ws/2002/07/utility”  xmlns:wsse=”http://schemas.xmlsoap.org/ws/2002/12/secext”>

<soap:Header>      <wsa:To>http://quoteservice</wsa:To>

<wsse:Security soap:mustUnderstand=”1″> ….      </wsse:Security>

</soap:Header>    <soap:Body wsu:Id=”Id-aa53632b-2211-46c8-451-4234b12ecf834″>

<xenc:EncryptedData xmlns:xenc=”http://www.w3.org/2001/04/xmlenc#”> …

</xenc:EncryptedData>    </soap:Body>

</soap:Envelope>

4)Response from the service

<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”  xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”  xmlns:xsd=”http://www.w3.org/2001/XMLSchema”  xmlns:wsa=”http://schemas.xmlsoap.org/ws/2004/08/addressing”  xmlns:wsu=”http://schemas.xmlsoap.org/ws/2002/07/utility”>    <soap:Header>    </soap:Header>    <soap:Body>       <m:sayHelloResponse xmlns:m=”http://www.bea.com”>

<m:return>Hello World</m:return>       </m:sayHelloResponse>

</soap:Body>

</soap:Envelope>

References

1) Webservices Vulnerabilities, Security Compass Inc 2007
2) WS Trust Specification

http://specs.xmlsoap.org/ws/2005/02/trust/WS-Trust.pdf

3) WS Security Specification

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf

4) Open SSO STS Solution

http://en.wikipedia.org/wiki/OpenSSO

http://www.oracle.com/technetwork/testcontent/opensso-091890.html

keytool -importkeystore -srckeystore Fabrizio.jks -destkeystore Fabrizio.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass weblogic1 -deststorepass weblogic1 -srcalias {4d390f81-7f7a-4a0a-ae76-9a5ea5ba567f} -destalias {4d390f81-7f7a-4a0a-ae76-9a5ea5ba567f} -srckeypass weblogic1 -destkeypass weblogic1

Converting certificate from PFX to JKS Format

java -classpath ./jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import Fabrizio.pfx Fabrizio.jks

Converting certificate from P12 to PFX Format

1. Import the certificate in the browser using certificate import wiward by double clicking on the p12 certificate.
2. Go to Internet Options > Content > Certificates > Personal
3. Choose your certificate and click export.
4. Select Yes Export the Private Key
5. Select Personal Information Exchange Format and provide the password.
6. Store the file as .pfx.

Thread dumps provide a snapshot of the current active threads. It provides the stack trace of all the java threads in the JVM.

There are different ways to capture thread dumps; some are based on the operating systems.

On Windows:

1. Go to the server standard output and press a Control + Break and copy the thread dump onto a file

On UNIX/ Linux

Find the process id for your server

1. Ps –ef  | grep java
2. Kill -3 <pid>

WebLogic utilities to capture thread dumps

1. webLogic.Admin utility

a. Open a command prompt , set the classpath running <DOMAIN_HOME>/bin/setDomain.env

b. Execute the below command

java weblogic.Admin -url t3://localhost:7001 -username weblogic -password weblogic1 THREAD_DUMP

Note: Thread Dump will be printed to the servers standard out (by default, the shell in which the server is running).

2. Using Admin Console

a. Log into the Admin Console , click on the server

b. Click onto the Server  –> Monitoring  –> Threads

c. Click on the Dump Thread Stack

3. Using WLST (WebLogic Scripting Tool)

a. Save and execute  the below snippet as ThreadDump.py

************************************

connect(‘weblogic’,'weblogic1′,’t3://localhost:7001′)

cd(‘Servers’)

cd(‘AdminServer’)

threadDump()

disconnect()

exit()

************************************

Note: The thread dumps get stored in the location from where you run the WLST script

If your Server is running as windows service, then follow the below steps

1. Open a command prompt and execute the below command

WL_HOME\bin\beasvc -dump -svcname:service-name

There are other tools that can be used to capture thread dumps for example jrcmd (for JRockit) ,Samurai etc.

NOTE: It is recommended to capture a set of 6-7 thread dumps at an interval 8-10 seconds to find a pattern in the thread execution.

Cheers,

Wonders Team

Any high-profile hacking attack has proven that web security still remains a serious issue for any business that’s running its operations online. Web servers are one of the most targeted public faces of an organization, because of the sensitive data they usually host.  Hence, securing web server is as important as securing the website or web application itself.  If we have a secure web application and an insecure web server, or vice versa, it still puts business at a huge risk. Therefore, it is important for us to have a secured web server.

What is a Web Server?? A Web Server can be defined as an HTTP protocol dependant server used for re-direction of the client requests to the appropriate application servers. Following is the pictorial representation of the purpose of a web server:

*Security Implementation in Apache Web Server: Below is the schematic representation of the communication with a secured web server.

The security implementation inside the web server is implemented in two different steps:-

1) Installation of SSL Certificate

2) By following the security guide lines

Installation of certificate:- The installation of the SSL certificates for apache servers involves the following stages:

1. Create a Certificate Signing Request (CSR)
2. Apply online
3. Installing your Certificate
4. Displaying your Secure Site Seal

1. For a webserver generate a CSR and a private key, use the following command:                                                       openssl req -config openssl.cnf -new -out my-server.csr

2. Removes the pass phrase from the private key because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key using the command:

rsa -in privkey.pem -out my-server.key

3.  Use the below command to generate the self signed certificate (later replace this with the certificate from Certifying Authority)

x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365

4.  Create an Apache/conf/ssl directory and move my-server.key and cert into it

5.  Open the httpd.conf file and add the following lines:

LoadModule ssl_module modules/mod_ssl.so

6.   Add the following to the end of httpd.conf:

        SSLMutex sem

        SSLRandomSeed startup builtin

        SSLSessionCache none

        SSLLog logs/SSL.log

        SSLLogLevel info

        <VirtualHost>

        SSLEngine On

        SSLCertificateFile conf/ssl/my-server.cert

        SSLCertificateKeyFile conf/ssl/my-server.key

</VirtualHost>

Restart the Apache server and access the applications with the SSL mode.

Following are some of the tips and guidelines implementing, will help our apache servers to be more and more secured:-

1)      Update the Apache Server with the latest security patched and fix pack. (stable version of Apache)

2)      Hide the Apache Version number, and other sensitive information as below inside httpd.conf:

                       ServerSignature Off

                       ServerTokens Prod

Note: ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.

ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.

3)      Many at times the apache installation run as anonyms or root, make sure that the apache is running under its own user account and group. You can check this information in httpd.conf:

        User apache

        Group apache

4)      Make sure that apache doesn’t use/access any of the files outside its web root directory (this is the location where we have all of apache files):

               <Directory />

                 Order Deny,Allow

                 Deny from all

                 Options None

                 AllowOverride None

                </Directory>

               <Directory /web>

                 Order Allow,Deny

                 Allow from all

                </Directory>

5)      In typical operation, Apache is started by the root user. Set the right permissions on ServerRoot Directories as follows:

mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs

6) **Server Side Includes (SSI) presents an administrator with several potential security risks like increased load on the server, etc. Hence, turn off server side includes by Options directive inside a Directory tag inside the httpd.conf file. Set Options to either None or –Includes.

7)      Allowing users to execute ***CGI scripts in any directory should only be considered if:

Ø      You trust your users not to write scripts which will deliberately or          accidentally expose your system to an attack.

Ø      You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.

Ø      You have no users, and nobody ever visits your server

8)      Watch logs to keep up-to-date about what is actually going on against your server you have to check the Log Files. They will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.

chown -R root:root /usr/local/apache

               chmod -R o-rwx /usr/local/apache

Note: /usr/local/apache is Apache installation directory

9)      Lower the time out and restrict request body requests as follows:

               Timeout 45

               LimitRequestBody 1048576

10)   Restrict the accessing of resource by using the IP restriction:

               Order Deny,Allow

               Deny from all

               Allow from 127.0.0.1

Note: **Server Side Include page is typically an HTML page with embedded command(s) that are executed by the Web server.

***CGI program is any program designed to accept and return data that confirms to the CGI specification. The program could be written in any programming language, including C, Perl, Java, or Visual Basic. CGI programs are the most common way for Web servers to interact dynamically with users

References:

1)      http://httpd.apache.org/docs/2.0/misc/security_tips.html

2)      http://www.google.com

3)      http://www.modssl.org/docs/2.8/ssl_reference.html