Java2 security and IBM WebSphere adapters

Don’t you love Java2 security? When enabled, it limits what your Java programs can do – by program, not by user ID. You would have to give code specific permissions to read/write files, access sockets, etc. Sounds great, doesn’t it? Well, it does not, at least in the world of enterprise and Web software where I live. In all my years in consulting going from one company to another I’ve seen only one place that used Java2 security. All others decided that it is more hassle then benefit.

And here’s another strike against it: when Java2 security is enabled in WebSphere Enterprise Service Bus (ESB) in a clustered environment, WebSphere adapter for CICS ECI does not work properly. You could see ClassNotFound exceptions when accessing the adapter. IBM support resolved the issue right away: just turn off Java2 security.

WPS: Querying human tasks with multiple custom properties

Suppose you have a human task application running on WebSphere Process Server. Your application requires creating, manipulating and assigning tasks based on certain criteria that are not exposed by HTM interface. Naturally, you add a custom property to your tasks to hold this “side” information. This process is described in this developerWorks article.

As an example, your query might look like this:
resultSet = htm.query(
"DISTINCT TASK.TKIID, TASK.NAME, TASK_CPROP.NAME",
"TASK_CPROP.NAME = 'branch'", …)


But what if you have more then 1 custom property? This Infocenter article gives an example where clause:
"TASK_CPROP1.NAME = 'prop1' AND " TASK_CPROP1.STRING_VALUE = 'v1' AND
TASK_CPROP2.NAME = 'prop2' AND " TASK_CPROP2.STRING_VALUE = 'v2'"

When do you need to add these ordinal numbers (like 1 and 2 in the example above) to the TASK_CPROP table name? Does the number has anything to do with the order in which the properties are defined on the task?

Rule:

1. If you only use a single custom property in a query, reference TASK_CPROP table without ordinal number.
   You should not use TASK_CPROP1, TASK_CPROP2 or 3,4,5…9 in this case.
2. If you use more then one custom property in a query, differentiate between them by adding a number to TASK_CPROP table name. You can pick any numbers you want, but be consistent within each query: use TASK_CPROP1 for one parameter, TASK_CPROP2 for another and so on.
   The number has no relationship with the order in which parameters are defined on the task.

   For example, your task may have 3 properties defined in the following order: propcount, branch, costCenter.
   

   

   Task with 3 properties: propcount, branch, costCenter

   And the following query referencing “branch” as #1 and “costCenter” as #2 will be perfectly valid:
   htm.query("DISTINCT TASK.TKIID, TASK.NAME, TASK_CPROP1.STRING_VALUE, TASK_CPROP2.STRING_VALUE",
"TASK_CPROP1.NAME='branch' and TASK.CPROP2.NAME='costCenter'", ...)


Explanation:
Underlying data for custom properties of human tasks is stored in database table TASK_INST_PROP_T and exposed through a database view TASK_CPROP. Both the table and the view are agnostic of property number. The view is documented here. The view contains only 4 columns: TKIID, NAME, DATA_TYPE and STRING_VALUE. There is only one table/view for custom properties and it has no room to store property’s ordinal number. TASK_CPROP1, TASK_CPROP2 and so on are aliases created in the FROM clause of the query, which is auto-generated behind the scenes based on SELECT and WHERE clauses. So this query:
htm.query("DISTINCT TASK.TKIID, TASK.NAME, TASK_CPROP1.STRING_VALUE, TASK_CPROP2.STRING_VALUE",
"TASK_CPROP1.NAME='branch' and TASK.CPROP2.NAME='costCenter'", ...)

may be translated into SQL resembling this (my reconstruction, not actual SQL from WPS product):

SELECT
DISTINCT TASK.TKIID, TASK.NAME, TASK_CPROP1.STRING_VALUE, TASK_CPROP2.STRING_VALUE
FROM
TASK INNER JOIN TASK_CPROP as TASK_CPROP1 ON TASK.TKIID=TASK_CPROP1.TKIID
INNER JOIN TASK_CPROP as TASK_CPROP2 ON TASK.TKIID=TASK_CPROP2.TKIID
WHERE
TASK_CPROP1.NAME='branch'
and TASK.CPROP2.NAME='costCenter'

Same logic applies, mutatis mutandis, to task templates (TASK_TEMPL_CPROP view) and escalations (ESCALATION_CPROP view)

WebSphere Business Monitor: troubleshooting events not flowing through a monitor model

One of the most common problems in WebSphere Business Monitor runtime administration is events not making it all the way to Dashboards (Portal or Business Space). Applications are running normally and emitting events that should be input to WebSphere Business Monitor (colloquially known as BAM), but BAM produces no output: no instance data is seen in dashboards. I’ve recently had an opportunity to troubleshoot 2 BAM installations in different organizations on consecutive days and I was faced with this problem in both cases.

Here are some things to check if you come across this situation:
1. A good first step in problem determination if you have access to monitor database is to check tables in the monitor model schema. There are few tables in this schema, so the task is easy. Here’s the list of tables from one simple model I developed:
CONSUMED_EVENT_T
PROCESSED_EVENTS
EVENT_SEQUENCE_INDICES
INCOMING_EVENTS
MCT_XTRCTMDLM_20091201151007
KCT_KPI_TRIGGER_20091201151007

There is one table per monitoring context (the one which name starts with MCT), plus tables for incoming, consumed and processed events, tables for KPIs and, in this case, one more service table. If this is the first time you attempt to run a model, you are just interested in cardinalities (number of rows in tables). Otherwise, you’d be looking at the number of recent rows.
If there is no data in any tables, events are not being routed to BAM. If there are rows in incoming_events table only, events are sent to BAM, but monitor model is not processing events. In the end, if the model works correctly, you should see one row in the monitoring context (MCT_*) table per, well, monitoring context created by original events.

2. Check that your monitor model is startable. Inspect SystemOut.log of the server running your model’s moderator module.
This message indicates successful startup of the monitor model:
[12/2/09 13:53:53:375 EST] 00000011 ConsumerDaemo I com.ibm.wbimonitor.mm.TestModel3.20081024161629.moderator.ConsumerDaemonHandlerImpl startDaemon() CWMRT3005I: The Monitor Model "TestModel3 20081024161629" is starting consumption on this server or cluster member in SERIAL_ST mode with reordering=false from PRIMARY_JMS_QUEUE.

On the other hand, this message indicates failure:
CWMRT2009W: The MM application is not in a startable state. This is usually because lifecycle steps are not complete.

If you see this error, perform step 3.

3. Check that mandatory lifecycle steps have been performed. Log on to admin console, go to Applications -> Monitor Models -> your model -> click on version -> make sure that all lights are green.

“Schema created” is the only lifecycle step that impacts operational data flow through monitor model.
If “Schema created” step is red, database schema creation for the model did not complete. Click on “Manage schema” link on the right. If your database environment is not restrictive and monitor database user has administrative permissions, you can create schema by clicking “Run Create Schema Script” button. In case of restrictive databases, such as DB2 for z/OS, this button is not even enabled. You will need to export the DDL by clicking “Export Create Schema Script” and work with your DBA to create and configure schema.

4. Check that CEI distribution is active
Click on your model version, and check the text under “CEI distribution mode”.
It should be active AND it should be in the right mode. In most cases (with exception of test environment), you likely are using queue bypass, in which case CEI distribution mode should read “Active (monitor model queue bypass)”.
To change distribution mode, click on “Change CEI distribution mode” link on the right.

Select desired value from “Target” drop down and click OK. Restart the target CEI server/cluster!

5. Check that correct CEI server has been configured as event source. This is a common problem in complex multiple cluster topologies.
Click on your model (not version) and then click on “Change CEI configuration”.

Check the table under “Event group profile list name” at the bottom of the properties page. In case of a complex topology with multiple CEI servers in the cell, all CEI-enabled clusters/servers will be listed individually. Make sure the right CEI server is selected (checkbox ticked). If you need to make a change, follow this procedure. First, checkboxes are made inactive (unavailable) if at least one model version has active CEI distribution. Deactivate CEI distribution for all model versions (change distribution mode to Inactive) as described in previous step. Wait for a minute for the change to become effective. Then come back to this property page – those checkboxes will become enabled. Select the right cluster/server, click Apply and then change distribution mode to Active for all model versions as described in step 4.

Update on Alphablox in WebSphere Business Monitor

Earlier this year I blogged about installing Alphablox as part of WebSphere Business Monitor. Real production environments require clustering, and it was difficult to accomplish. Using DB2 on z/OS for data repository was particularly daunting task. Mike Killelea commented on my original post, noting that IBM disclaimed support for this scenario.

This time of the year, IBM is preparing version 7 of its BPM stack for release. From what I saw, Alphablox is much better integrated into Business Monitor (BAM). Remember, until now you had to run a separate Alphablox installer (with the exception of non-production-grade standalone profile). Now, ABX install is fully integrated. I specifically inquired about z/OS database support and was told that it is ON. I’ll post an update when I learn more.

Eliminate spurious orbtrc files on WebSphere client when using HTTPS tunneling

When using WebSphere Application Client (J2EE, thin or pluggable) to access EJBs on WebSphere Application Server, an optional ORB trace file may be created. You can specify trace file location and name, but if you do not, default file name is orbtrc.timestamp.txt (e.g. orbtrc.10112009.1815.37.txt)
Of course, oftentimes you do not want any trace, and you certainly can turn tracing off. Well, with one exception. If you are using HTTP tunneling with SSL (HTTPS tunneling), trace file will be created automatically with the default name. This behavior has been known to affect several versions of WAS. I last confirmed it in WAS 6.1.
This may be annoying or inappropriate in some client environments. As a workaround, redirect trace output to null device by adding the following parameters to your client JVM command line:
for Windows
-Dcom.ibm.CORBA.Debug.Output=nul:
for Unix/Linux, use /dev/null.

No driverType in Oracle JDBC driver

Database access in WebSphere Application Server is performed through JDBC Providers. JDBC Provider is a configuration element specifying JDBC driver class. For actual database access, one creates Data Sources underneath a JDBC Provider.
At runtime, the first time a data source is accessed, corresponding JDBC Provider is activated. At this time, WebSphere logs a series of informational messages detailing JDBC Provider version and configuration. One of the messages you can see in SystemOut log is DSRA8208I, which Infocenter documents this way:

DSRA8208I: JDBC driver type : {0}
Explanation: The JDBC driver type.
User Response: The JDBC driver type is now used by applications.

Driver type is JDBC driver type and nowadays almost universally equals 4 (pure Java).
When DB2 provider is in use, you might see this:
DSRA8208I: JDBC driver type : 4

However, with Oracle provider the message shows an empty driver type, which may cause confusion or concerns :
DSRA8208I: JDBC driver type : ""

What happened here? Has the driver loaded incorrectly or is unrecognized? Don’t worry. There is no reason for alarm – Oracle provider does not have “driverType” parameter and so this value is always empty with Oracle.

Coexistence of WebSphere Business Monitor and Process Server 6.2

UPDATE 11/12: The fix for the issue described below is included in WBM 6.2 Fixpack 2, now publicly available.

ORIGINAL POST:
If you installed WebSphere Business Monitor (aka BAM) version 6.2 into the same directory as Process Server or WESB 6.2, you may run into problems with overlapping OSGI plugins.
Your WPS/WESB modules and mediations could fail with JXPath error like this:

[5/18/09 19:25:21:744 EDT] 0000005f ExceptionUtil E CNTR0020E: EJB threw an unexpected (non-declared) exception during invocation of method "transactionRequiredActivitySessionNotSupported" on bean "BeanId(TestFanoutApp#TestFanoutEJB.jar#Module, null)". Exception data:
Mediation primitive failure:
Mediation primitive: FanOut1
Component: TestFanout
Module: TestFanout
com.ibm.wsspi.sibx.mediation.MediationBusinessException: CWSXM3752E: Error using XPath expression [Ljava.lang.Object;@7d6e7d6e to locate repeating element: org.apache.commons.jxpath.JXPathException: No value for xpath: /body/print/input/orders. This has been reported by the following entity: ID=FanOut1,Request,print,PrintOrder,http://TestFanout/PrintOrder,TestFanout,TestFanout
at com.ibm.ws.sibx.mediation.primitives.util.ExceptionHelper.newMediationBusinessException(ExceptionHelper.java:128)
at com.ibm.ws.sibx.mediation.primitives.fan.FanOutMediation.locateRepeatingElement(FanOutMediation.java:726)
at com.ibm.ws.sibx.mediation.primitives.fan.FanOutMediation.performNonAggregationMediate(FanOutMediation.java:593)
at com.ibm.ws.sibx.mediation.primitives.fan.FanOutMediation.mediate(FanOutMediation.java:265)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocation(JavaMediationPrimitive.java:630)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.invoke(JavaMediationPrimitive.java:352)
at com.ibm.ws.sibx.scax.mediation.engine.MediationPrimitive.invokeConnections(MediationPrimitive.java:318)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.fireOutputTerminals(JavaMediationPrimitive.java:728)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocation(JavaMediationPrimitive.java:650)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.invoke(JavaMediationPrimitive.java:352)
at com.ibm.ws.sibx.scax.mediation.engine.MediationPrimitive.invokeConnections(MediationPrimitive.java:318)
at com.ibm.ws.sibx.scax.mediation.engine.Input.invoke(Input.java:138)
at com.ibm.ws.sibx.scax.mediation.engine.RequestFlow.invokeFlow(RequestFlow.java:132)
at com.ibm.ws.sibx.scax.mediation.engine.MediationFlow.invokeRequestFlow(MediationFlow.java:145)
at com.ibm.wsspi.sibx.mediation.flow.ejb.MediationFlowBean.invokeRequestFlow(MediationFlowBean.java:231)
at com.ibm.wsspi.sibx.mediation.flow.ejb.EJSLocalStatelessTestFanout_c53bef64.invokeRequestFlow(EJSLocalStatelessTestFanout_c53bef64.java:127)
at com.ibm.ws.sibx.scax.mediation.component.ejb.EJBMediationFlowComponentImpl.invokeRequestFlow(EJBMediationFlowComponentImpl.java:223)
at com.ibm.ws.sibx.scax.runtime.handler.MFCImplementationHandler.processMessage(MFCImplementationHandler.java:199)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessageWithPCI(MessageDispatcherImpl.java:715)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessage(MessageDispatcherImpl.java:1167)
at com.ibm.ws.sca.internal.message.impl.ManagedMessageImpl.process(ManagedMessageImpl.java:843)
at com.ibm.wsspi.sca.ejb.module.impl.ModuleSessionBean.processUOWMessage(ModuleSessionBean.java:336)
at com.ibm.wsspi.sca.ejb.module.impl.ModuleSessionBean.transactionRequiredActivitySessionNotSupported(ModuleSessionBean.java:315)
at com.ibm.wsspi.sca.ejb.module.EJSLocalStatelessModule_43132892.transactionRequiredActivitySessionNotSupported(EJSLocalStatelessModule_43132892.java:233)
at com.ibm.ws.sca.internal.uow.handler.UOWStrategyImpl.transactionGlobalActivitySessionFalse(UOWStrategyImpl.java:311)
at com.ibm.ws.sca.internal.uow.handler.JoinUOWHandler.processMessage(JoinUOWHandler.java:165)
[snip]

Or you may have classloading problems when trying to work with monitor models.

Same issues may occur with fixpack 1 of both products (WPS/WESB 6.2.0.1 and WBMonitor 6.2.0.1)
This is happening because WPS/WESB and WBM/BAM each comes with its own version of JXPath libraries. A fix for this issue will soon be publicaly available from the monitor team. It would restrict visibility of JXPath library packaged with WBM to monitor code.
If your symptoms match, please ask IBM support about JR33245.

Cloudburst: My refrigerator runs WebSphere

IBM has pre-announced WebSphere Application Server Hypervisor Edition and WebSphere Cloudburst appliance. I understand both will be officially made available during SOA Impact this week. WAS HE is application server in a VM image. Cloudburst is even better – it lets you have your application server in an appliance. Remember “my coffee maker runs Java?” Well, now your refrigerator runs WebSphere! WAS ND is pre-installed and you have an option to turn on Feature Packs with a simple checkbox. While at this time there are only 2 publicly available Feature Packs for WAS 7 (SCA and Web 2.0), another one is on its way (XML, which will include XML Schema 2.0, XPath 2.0 and XQuery 1.0). Profile creation is also included – just choose which profile you want. This way, after a few minutes of initial configuration you have a working installation of WAS ready to run.

This is a very interesting move by IBM, building on success of their DataPower line of appliances, which expanded from original 3 models to current 5 with recent addition of B2B gateway (XB60) and low-latency messaging appliance (XM70). Now, this new form factor comes to the application server world. Both WAS HE and Cloudburst will help dramatically reduce environment creation overhead. Now server environment can be stood up in a very short time.

While WAS HE and Cloudburst may be used together, this is not the only way. One could say that they represent opposite ends of the software “hardness” specter. Cloudburst is clearly out there on the “hard” side. But WAS HE is just a VM image, which may be brought online when needed. When no longer necessary, it can be shut down and left to wither on a backup shelf. This gives organizations ability to manage server capacity easier.

Cloudburst, advertised as a “private cloud” solution, can be deployed in more “mundane” implementations having nothing to do with clouds at all.

It would be interesting to see if this move leads to more appliance offerings. I’m thinking next in line will be widely used software running on WAS – Portal and Process Server.

UPDATE 5/6/2009: Feature Pack for XML is now available as an open beta here.