What to do after a P8 CPIT installation

After a CPIT installation, you will have a few more steps to do before your platform is fully operational. If you don’t, you will mainly have two errors:

  • A user authenticated as anonymous has attempted to access a session owned by user... in the WebSphere logs, resulting to be always disconnected in TDS console, and a really unstable platform (a lot of errors in the ACCE)
  • Failed to get configuration file WcmApiConfig.properties when trying to configure the Workflow system (along with a login window you shouldn’t get)

Here are the steps to follow. Since the new CPIT installer now has two WAS profiles (one for FileNet and the other for ICN, I will add for each step if they should be executed on server A (FileNet), B (Icn), or both (AB). In the IBM WebSphere administration console:

  1. A. Click Application servers > server1 > Session management > Custom properties
    and add the InvalidateOnUnauthorizedSessionRequestException = true custom property.
server = AdminConfig.getid('/Server:server1/')
wc = AdminConfig.list('WebContainer',server)
services = AdminConfig.list('Service',wc).splitlines()
attr = [['name','InvalidateOnUnauthorizedSessionRequestException'],['value','true']]
for service in services:
    AdminConfig.create('Property', service, attr)
AdminConfig.save()
  1. A. Check for “com.ibm.ws.security.addHttpOnlyAttributeToCookies” in Security > Global Security > custom properties. If found, delete it.
server = AdminConfig.getid('/Server:server1/')
security = AdminConfig.getid('/Security:/')
secprops = AdminConfig.list('Property',security).splitlines()

for prop in secprops:
    if 'com.ibm.ws.security.addHttpOnlyAttributeToCookies' == AdminConfig.showAttribute(prop, "name"):
        AdminConfig.remove(prop)
        break
AdminConfig.save()
  1. A. Check for the custom property “com.ibm.ws.webcontainer.HTTPOnlyCookies” in Server > Server Types > WebSphere application servers > server_name > Web Container Settings > Web Container > Custom properties. If found, delete it.
server = AdminConfig.getid('/Server:server1/')
wc = AdminConfig.list('WebContainer',server)
props = toList(AdminConfig.showAttribute(wc, 'properties'))
for prop in props:
    if 'com.ibm.ws.webcontainer.HTTPOnlyCookies' == AdminConfig.showAttribute(prop, "name"):
        AdminConfig.remove(prop)
        break
AdminConfig.save()

Only if you installed Workplace XT

  1. Go to Applications > Application Types > WebSphere enterprise applications > Workplace XT > Modules >Manage Modules > WorkplaceXT > Session Management.
    1. Under General Properties, check the box next to “Override session management” and click Apply.
    2. Enable cookies should be checked. Click the “Enable cookies” link in the Session tracking mechanism section.
    3. Under General properties, verify that Cookie name is set to JSESSIONID and uncheck “Restrict cookies to HTTPS sessions” and “Set session cookies to HTTPONly to help prevent cross-site scripting attacks” (WAS 8.x)
  2. Go to Applications > Application Types > WebSphere enterprise applications > Workplace XT > Web Module Properties >Session Management.
    1. Under General Properties, check the box next to “Override session management” and click Apply.
    2. Enable cookies should be checked. Click the Enable cookies link in the Session tracking mechanism section.
    3. Under General properties, verify that the Cookie name is set to JSESSIONID and uncheck “Restrict cookies to HTTPS sessions” and “Set session cookies to HTTPONly to help prevent cross-site scripting attacks” (WAS 8.x) and click Apply.

Fore everyone:

  1. A. Navigate to Security > Global security > Authentication > Web and SIP security > Single sign-on (SSO).
    8b. Under General properties, uncheck “Set security cookies to HTTP Only to help prevent cross-site scripting attacks” and click Apply
security = AdminConfig.getid('/Security:/')
prop = AdminConfig.getid('/Security:/Property:com.ibm.ws.security.addHttpOnlyAttributeToCookies/')
if prop:
    AdminConfig.modify(prop, [['value', 'false']])
else:
    AdminConfig.create('Property', security, [['name','com.ibm.ws.security.addHttpOnlyAttributeToCookies'], ['value','false']])
AdminConfig.save()
  1. A. Enable cookies and disable HTTP Only settings at the server level setting when using SSL.
    1. Navigate to Servers > Server Types > WebSphere application servers.
    2. Select the server where Workplace/Workplace XT is deployed.
    3. Click Session Management.
    4. Click the Enable cookies link under Session tracking mechanism.
    5. Uncheck “Set session cookies to HTTP Only to help prevent cross-site scripting attacks”.
server = AdminConfig.getid('/Server:server1/')
wc = AdminConfig.list('WebContainer',server)
services = AdminConfig.list('Service',wc).splitlines()
for service in services:
    AdminConfig.modify(service,[['enableCookies',value]])
    dcs = AdminConfig.showAttribute(service, 'defaultCookieSettings');
    AdminConfig.modify(dcs,[['httpOnly',value]])
AdminConfig.save()
  1. AB. NEW since 5.2.1: Add the property com.ibm.websphere.orb.uniqueServerName to WAS (since it now uses two WAS instance on the same machine)
    1. Open the administrative console of the WebSphere Application Server instance on which Content Engine or Content Platform Engine is deployed.
    2. Expand Application servers and click the server name on which Content Engine or Content Platform Engine runs. The default server name is Server1.
    3. Expand Java and process management and click Process definition > Java virtual machine > Custom properties.
    4. Click New.
    5. Enter the name com.ibm.websphere.orb.uniqueServerName and set the value to true.
import java
lineSeparator = java.lang.System.getProperty('line.separator')

server = AdminConfig.getid('/Server:server1/')
jvms = AdminConfig.list('JavaVirtualMachine',server)
arrayJVMs = jvms.split(lineSeparator)
jvm = arrayJVMs[0]

attr_name  = ['name', "com.ibm.websphere.orb.uniqueServerName"]
attr_value = ['value', "true"]
attr_required = ['required', "false"]
attr_description = ['description', ""]
attr_list = [attr_name, attr_value, attr_required, attr_description]
property=['systemProperties',[attr_list]]
AdminConfig.modify(jvm, [property])

AdminConfig.save()
  1. NEW since 5.2.1: Change the trusted realms for both server and the realm name for the ICN node (Thank you so much amirbarkal for that)
    1. AB. Go to Security >> Global Security >> RMI IIOP CSiv2 Inbound / outbound communication >> Trusted authentication outbound / inbound realms: Make sure that “Trust all realms…” is checked.
      AdminTask.configureTrustedRealms('[-communicationType outbound -trustAllRealms true]')
      AdminTask.configureTrustedRealms('[-communicationType inbound -trustAllRealms true]')
      AdminConfig.save()
      
    2. B. Make sure that the default security realm (in WebSphere) name matches on both the Navigator server and the FileNet Engine server. (Should be: “localhost:389” instead of “defaultFileBasedWim…”)
      AdminTask.renameIdMgrRealm('[-name defaultWIMFileBasedRealm -newName localhost:389]')
      AdminTask.configureAdminWIMUserRegistry('[-realmName localhost:389 -verifyRegistry false ]')
      AdminConfig.save()
      
      
  1. Restart WAS

And here is the toList function used in the given functions.

def toList(inStr):
    outList=[]
    if (len(inStr)>0 and inStr[0]=='[' and inStr[-1]==']'):
        inStr = inStr[1:-1]
        tmpList = inStr.split(" ")
    else:
        tmpList = inStr.split("\n")
    for item in tmpList:
        item = item.rstrip();
        if (len(item)>0):
           outList.append(item)
    return outList

And finally here is a script doing everything except step 4 and 5 (useful only if you installed Workplace XT) (TODO – step 8 is missing right now, please to it manually):

def toList(inStr):
    outList=[]
    if (len(inStr)>0 and inStr[0]=='[' and inStr[-1]==']'):
        inStr = inStr[1:-1]
        tmpList = inStr.split(" ")
    else:
        tmpList = inStr.split("\n") 
    for item in tmpList:
        item = item.rstrip();       
        if (len(item)>0):
           outList.append(item)
    return outList

def enableCookie(server, value):
	wc = AdminConfig.list('WebContainer',server)
	services = AdminConfig.list('Service',wc).splitlines()
	for service in services:
		AdminConfig.modify(service,[['enableCookies',value]])

def serverSessionmanagementCookiesHttpOnly(server, value):
	wc = AdminConfig.list('WebContainer',server)
	services = AdminConfig.list('Service',wc).splitlines()
	for service in services:
		dcs = AdminConfig.showAttribute(service, 'defaultCookieSettings');
		AdminConfig.modify(dcs,[['httpOnly',value]])

def setPropertiesForModules(applicationName, propertyName, propertyValue):
	deployments = AdminConfig.getid('/Deployment:'+applicationName+'/')
	deploymentObject = AdminConfig.showAttribute(deployments, 'deployedObject')
	modules = AdminConfig.showAttribute(deploymentObject, 'modules')
	modules = modules[1:len(modules)-1].split(" ")
	for module in modules:
		 if (module.find('WebModuleDeployment')!= -1):
			AdminConfig.modify(module, [[propertyName, propertyValue]])

def setclassLoaderModeForModules(applicationName):
	setPropertiesForModules(applicationName, 'classloaderMode', 'PARENT_LAST')

def addWebContainerProperty(server, propertyName, propertyValue):
	wc = AdminConfig.list('WebContainer',server)
	attr = [['name',propertyName],['value',propertyValue]]
	AdminConfig.create('Property', wc,  attr)

def deleteWebContainerProperty(server, propertyName):
	wc = AdminConfig.list('WebContainer',server)
	props = toList(AdminConfig.showAttribute(wc, 'properties'))
	for prop in props:
		if propertyName == AdminConfig.showAttribute(prop, "name"):
			AdminConfig.remove(prop)
			break

def updateWebContainerProperty(server, propertyName, propertyValue):
	wc = AdminConfig.list('WebContainer',server)
	props = toList(AdminConfig.showAttribute(wc, 'properties'))
	for prop in props:
		if propertyName == AdminConfig.showAttribute(prop, "name"):
			AdminConfig.modify(prop, [['value', propertyValue]])
			break

def deleteSecurityProperty(propertyName):
	security = AdminConfig.getid('/Security:/')
	secprops = AdminConfig.list('Property',security).splitlines()

	for prop in secprops:
		if propertyName == AdminConfig.showAttribute(prop, "name"):
			AdminConfig.remove(prop)
			break

def setSecurityProperty(propertyName, propertyValue):
	security = AdminConfig.getid('/Security:/')
	prop = AdminConfig.getid('/Security:/Property:'+propertyName+'/')
	if prop:
		AdminConfig.modify(prop, [['value', propertyValue]])
	else:
		AdminConfig.create('Property', security, [['name',propertyName], ['value',propertyValue]])

def deleteServerSessionManagementProperty(server, propertyName):
	wc = AdminConfig.list('WebContainer',server)
	services = AdminConfig.list('Service',wc).splitlines()
	for service in services:
		props = AdminConfig.list('Property',service).splitlines()
		for prop in props:
			if propertyName == AdminConfig.showAttribute(prop, "name"):
				AdminConfig.remove(prop)
				break

def addServerSessionManagementProperty(server, propertyName, propertyValue):
	wc = AdminConfig.list('WebContainer',server)
	services = AdminConfig.list('Service',wc).splitlines()
	attr = [['name',propertyName],['value',propertyValue]]
	for service in services:
		AdminConfig.create('Property', service,  attr)

def updateServerSessionManagementProperty(server, propertyName, propertyValue):
	server = AdminConfig.getid('/Server:server1/')
	wc = AdminConfig.list('WebContainer',server)
	services = AdminConfig.list('Service',wc).splitlines()
	for service in services:
		props = AdminConfig.list('Property',service).splitlines()
		for prop in props:
			if propertyName == AdminConfig.showAttribute(prop, "name"):
				AdminConfig.modify(prop, [['value', propertyValue]])
				break

server = AdminConfig.getid('/Server:server1/')

# Add the InvalidateOnUnauthorizedSessionRequestException = true custom property to the server session management. 
addServerSessionManagementProperty(server, 'InvalidateOnUnauthorizedSessionRequestException', 'true')

# Delete "com.ibm.ws.security.addHttpOnlyAttributeToCookies" in the Global Security custom properties
deleteSecurityProperty('com.ibm.ws.security.addHttpOnlyAttributeToCookies')

# Delete "com.ibm.ws.webcontainer.HTTPOnlyCookies" in the server web container's custom properties
deleteWebContainerProperty(server, 'com.ibm.ws.webcontainer.HTTPOnlyCookies')

# Uncheck "Set security cookies to HTTP Only to help prevent cross-site scripting attacks" in SSO settings
setSecurityProperty('com.ibm.ws.security.addHttpOnlyAttributeToCookies', 'false')

# Enable server session management cookies and Uncheck "Set session cookies to HTTP Only to help prevent cross-site scripting attacks".
enableCookie(server, 'true')
serverSessionmanagementCookiesHttpOnly(server, 'false')

import java
lineSeparator = java.lang.System.getProperty('line.separator')

server = AdminConfig.getid('/Server:server1/')
jvms = AdminConfig.list('JavaVirtualMachine',server)
arrayJVMs = jvms.split(lineSeparator)
jvm = arrayJVMs[0]

attr_name  = ['name', "com.ibm.websphere.orb.uniqueServerName"]
attr_value = ['value', "true"]
attr_required = ['required', "false"]
attr_description = ['description', ""]
attr_list = [attr_name, attr_value, attr_required, attr_description]
property=['systemProperties',[attr_list]]
AdminConfig.modify(jvm, [property])


AdminTask.configureTrustedRealms('[-communicationType outbound -trustAllRealms true]')
AdminTask.configureTrustedRealms('[-communicationType inbound -trustAllRealms true]')

AdminConfig.save()
import java
lineSeparator = java.lang.System.getProperty('line.separator')

server = AdminConfig.getid('/Server:server1/')
jvms = AdminConfig.list('JavaVirtualMachine',server)
arrayJVMs = jvms.split(lineSeparator)
jvm = arrayJVMs[0]

attr_name  = ['name', "com.ibm.websphere.orb.uniqueServerName"]
attr_value = ['value', "true"]
attr_required = ['required', "false"]
attr_description = ['description', ""]
attr_list = [attr_name, attr_value, attr_required, attr_description]
property=['systemProperties',[attr_list]]
AdminConfig.modify(jvm, [property])

AdminTask.configureTrustedRealms('[-communicationType outbound -trustAllRealms true]')
AdminTask.configureTrustedRealms('[-communicationType inbound -trustAllRealms true]')

AdminTask.renameIdMgrRealm('[-name defaultWIMFileBasedRealm -newName localhost:389]')
AdminTask.configureAdminWIMUserRegistry('[-realmName localhost:389 -verifyRegistry false ]')

AdminConfig.save()

You can run it with something like:

/opt/ibm/WebSphere/AppServer/bin/wsadmin.sh -username P8Admin -password PASSWORD -conntype SOAP -profileName AppSrv01 -lang jython -f "scriptForA.py"
/opt/ibm/WebSphere/AppServer/bin/wsadmin.sh -username P8Admin -password PASSWORD -conntype SOAP -port 8881 -profileName AppSrv02 -lang jython -f "scriptForB.py"

10 thoughts on “What to do after a P8 CPIT installation

  1. John Wong

    This is great! MY ACCE interface is stable now!
    Some jythons were not working due to spaces. I couldn’t get the jython with the toList to work.
    For others benefit I scripted it with the CPIT defaults:

    
    mkdir /tmp/profiles
    printf "server = AdminConfig.getid('/Server:server1/')
    security = AdminConfig.getid('/Security:/')
    secprops = AdminConfig.list('Property',security).splitlines()
    for prop in secprops:
        if 'com.ibm.ws.security.addHttpOnlyAttributeToCookies' == AdminConfig.showAttribute(prop, 'name'):
            AdminConfig.remove(prop)
            break
    AdminConfig.save()
    " > /tmp/profiles/addHttpOnlyAttributeToCookies.jython
    
    printf "security = AdminConfig.getid('/Security:/')
    prop = AdminConfig.getid('/Security:/Property:addHttpOnlyAttributeToCookies/')
    if prop:
        AdminConfig.modify(prop, [['value', 'false']])
    else:
        AdminConfig.create('Property', security, [['name','com.ibm.ws.security.addHttpOnlyAttributeToCookies'], ['value','false']])
    AdminConfig.save()
    " > /tmp/profiles/addHttpOnlyAttributeToCookies2.jython
    
    printf "server = AdminConfig.getid('/Server:server1/')
    wc = AdminConfig.list('WebContainer',server)
    services = AdminConfig.list('Service',wc).splitlines()
    for service in services:
        AdminConfig.modify(service,[['enableCookies','true']])
        dcs = AdminConfig.showAttribute(service, 'defaultCookieSettings');
        AdminConfig.modify(dcs,[['httpOnly','false']])
    AdminConfig.save()
    " > /tmp/profiles/defaultCookieSettings.jython
    
    printf "server = AdminConfig.getid('/Server:server1/')
    wc = AdminConfig.list('WebContainer', server)
    services = AdminConfig.list('Service', wc).splitlines()
    attr = [['name','InvalidateOnUnauthorizedSessionRequestException'],['value','true']]
    for service in services:
        AdminConfig.create('Property', service, attr)
    AdminConfig.save()
    " > /tmp/profiles/InvalidateOnUnauthorizedSessionRequestException.jython
    
    printf "server = AdminConfig.getid('/Server:server1/')
    wc = AdminConfig.list('WebContainer', server)
    props = toList(AdminConfig.showAttribute(wc, 'properties'))
    for prop in props:
        if 'com.ibm.ws.webcontainer.HTTPOnlyCookies' == AdminConfig.showAttribute(prop, 'name'):
            AdminConfig.remove(prop)
            break
    AdminConfig.save()
    " > /tmp/profiles/HTTPOnlyCookies.jython
    
    
    cd /opt/ibm/WebSphere/AppServer/bin
    ./wsadmin.sh  -lang jython -conntype SOAP -port 8880 -host localhost -username p8admin -password IBMFileNetP8 -f /tmp/profiles/defaultCookieSettings.jython
    ./wsadmin.sh  -lang jython -conntype SOAP -port 8880 -host localhost -username p8admin -password IBMFileNetP8 -f /tmp/profiles/InvalidateOnUnauthorizedSessionRequestException.jython
    ./wsadmin.sh  -lang jython -conntype SOAP -port 8880 -host localhost -username p8admin -password IBMFileNetP8 -f /tmp/profiles/addHttpOnlyAttributeToCookies.jython
    ./wsadmin.sh  -lang jython -conntype SOAP -port 8880 -host localhost -username p8admin -password IBMFileNetP8 -f /tmp/profiles/HTTPOnlyCookies.jython
    ./wsadmin.sh  -lang jython -conntype SOAP -port 8880 -host localhost -username p8admin -password IBMFileNetP8 -f /tmp/profiles/addHttpOnlyAttributeToCookies2.jython
    
    Reply
    1. Guillaume Post author

      Awesome! Thanks for that John, great job! I’ll try to correct the spaces in the Jython but this is better to have everything in one script as you did. If you don’t mind, I might add your script at the end of the post. So others can see it, because they could miss it in the comments.

      Reply
    1. Guillaume Post author

      Hi Amir,
      Indeed I forgot to update this post since 5.2.1, which now install two distinct WAS so it should be done. Thank you for this I update the post right away.

      Reply
  2. amirbarkal

    Also, there is a really stupid thing that needs to be done in the websphere admin console of the navigator host in order to succesfully add a FileNet repository in the navigator UI:
    1. Go to Security >> Global Security >> RMI IIOP CSiv2 Inbound / outbound communication >> Trusted authentication outbound / inbound realms: Make sure that “Trust all realms…” is checked.
    2. Make sure that the default security realm (in WebSphere) name matches on both the Navigator server and the FileNet Engine server. (Should be: “localhost:389″ instead of defaultFileBasedWim…”)

    I’m really pissed off IBM didn’t make sure this is done by the cpit installation!

    Reply
    1. Guillaume Post author

      Amir, if it fixes the problem we have been discussing with Andy, Paul and Ian here and here, you will be saving me a looot of time. I’ll check this as soon as I have time and if it works, I will update all my posts according to this, and I’ll own you a big one 🙂
      BTW, your blog is all empty, I guess it’s because it’s brand new?

      Reply
    2. Guillaume Post author

      Well Amir you’re a genius.

      I don’t know how you came up with this nor where you found it but that works like a charm. Sorry I haven’t got time to test and give you credit earlier but I was quite busy and kept working with my 5.2.0 upgraded to 5.2.1 platform. I updated the post with your instructions. Thanks again. I don’t understand as well… either they don’t test their CPIT installer at IBM or we missed some pre-requisites 🙂

      Regards

      Reply
  3. amirbarkal

    I think I accidentally commented using the wrong WordPress username. I have another Blog (who is also new and almost empty, just 1 post)
    Thanks for updating your post with step 8

    Reply

Leave a Reply to Guillaume Cancel reply