Saturday, April 30, 2011

Weblogic transactions

Weblogic transactions

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/jta/trxman.html#wp1052600

Handling Heuristic Completions
Heuristic error
After the abandon transaction timer expires, no further attempt is made to resolve the transaction with any resources that are unavailable or unable to acknowledge the transaction outcome. If the transaction is in a prepared state before being abandoned, the transaction manager will roll back the transaction to release any locks held on behalf of the abandoned transaction and will write an heuristic error to the server log.
A heuristic completion (or heuristic decision) occurs when a resource makes a unilateral decision during the completion stage of a distributed transaction to commit or rollback updates. This can leave distributed data in an indeterminate state. Network failures or resource timeouts are possible causes for heuristic completion. In the event of an heuristic completion, one of the following heuristic outcome exceptions may be thrown:

HeuristicRollback—one resource participating in a transaction decided to autonomously rollback its work, even though it agreed to prepare itself and wait for a commit decision. If the Transaction Manager decided to commit the transaction, the resource's heuristic rollback decision was incorrect, and might lead to an inconsistent outcome since other branches of the transaction were committed.

HeuristicCommit—one resource participating in a transaction decided to autonomously commit its work, even though it agreed to prepare itself and wait for a commit decision. If the Transaction Manager decided to rollback the transaction, the resource's heuristic commit decision was incorrect, and might lead to an inconsistent outcome since other branches of the transaction were rolled back.

HeuristicMixed—the Transaction Manager is aware that a transaction resulted in a mixed outcome, where some participating resources committed and some rolled back. The underlying cause was most likely heuristic rollback or heuristic commit decisions made by one or more of the participating resources.

HeuristicHazard—the Transaction Manager is aware that a transaction might have resulted in a mixed outcome, where some participating resources committed and some rolled back. But system or resource failures make it impossible to know for sure whether a Heuristic Mixed outcome definitely occurred. The underlying cause was most likely heuristic rollback or heuristic commit decisions made by one or more of the participating resources.
When an heuristic completion occurs, a message is written to the server log. Refer to your database vendor documentation for instructions on resolving heuristic completions.
Some resource managers save context information for heuristic completions. This information can be helpful in resolving resource manager data inconsistencies. If the ForgetHeuristics attribute is selected (set to true) on the JTA panel of the WebLogic Console, this information is removed after an heuristic completion. When using a resource manager that saves context information, you may want to set the ForgetHeuristics attribute to false.

Friday, April 29, 2011

SSL

These are the steps I followed. This was a straightforward task to configure apache to accept HTTPS traffic. Further enhancements such as forcing HTTPS only, or validating client certificates were not required.

This article is quite good

http://articles.sitepoint.com/article/securing-apache-2-server-ssl

If on linux then install mod_ssl. (http://www.cyberciti.biz/faq/rhel-apache-httpd-mod-ssl-tutorial/ )

yum install mod_ssl ...

Also http://www.csrparser.com/ is handy for checking any old CSRs

Setting up certs etc.


generate a certificate.

PreRequisite:

To do this you need a Certification Authority, CA, (openssl to DIY, or public CA). See links above

1/ Generate CSR (Certificate Signing Request)

Multiple ways to do this. OpenSSL or Keytool.

For openssl using defaults you can simply do

openssl req -new

2/ Generate certificate (using CA)

3/ Install certificate in Apache (as root)

4/ Edit ssl.conf file (equivalent to httpd.conf). Configure any VirtualHosts you require, and assign them the requisite keys and certs, e.g.



<VirtualHost www.nixcraft.com:>
SSLEngine On
SSLCertificateFile /etc/pki/tls/http/apachecert.pem
SSLCertificateKeyFile /etc/pki/tls/http/apachekey.pem
SSLProtocol All -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5
DocumentRoot /var/www/html/ssl
ServerName www.nixcraft.com
</VirtualHost>


Create CA private Key (used for generating CSR’s)

openssl genrsa –aes256 -out domainname.com.key 1024

In general generate a private key per domain

Create Self Signed CA cert (Also generates private Key for CA)

openssl req -new -x509 -extensions v3_ca -keyout ./private/cakey.pem -out cacert.pem -days 3650

Create Self signed CA using existing private key

openssl req -new -x509 -extensions v3_ca -key privateKey.pem -out cacert.pem -days 3650

This command demonstrates the how commands in openssl combine functionality

Req command allows switch to x509

Keystore

The default locations of the of the keystore files is %JAVA_HOME%/jre/security/.keystore

To include trusted certs from the keystore in a java client you must add the following


Java -Djavax.net.ssl.trustStore=...

Problems
Unsupported OID in the AlgorithmIdentifier
<ms_osb1> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1315908488277> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>


http://java.sun.com/javase/6/webnotes/6u13.html

I was doing some work with 2-way SSL, and seeing the following error in my weblogic (OSB) logs.

As it happens this is a problem with JDK 1.6_013. They included a non compatible CA cert in the keystore.

keytool -delete -keystore $JAVA_HOME\jre\lib\security\cacerts -alias ttelesecglobalrootclass2ca -keystorepass changeit
keytool -delete -keystore $JAVA_HOME\jre\lib\security\cacerts -alias ttelesecglobalrootclass3ca -keystorepass changeit



How do I remove a passphrase from a key?


Perhaps you’ve grown tired of typing your passphrase every time your secure daemon starts. You can decrypt your key, removing the passphrase requirement, using the rsa or dsa option, depending on the signature algorithm you chose when creating your private key.

If you created an RSA key and it is stored in a standalone file called key.pem, then here’s how to output a decrypted version of the same key to a file called newkey.pem.

# you'll be prompted for your passphrase one last time

openssl rsa -in key.pem -out newkey.pem

Often, you’ll have your private key and public certificate stored in the same file. If they are stored in a file called mycert.pem, you can construct a decrypted version called newcert.pem in two steps.

# you'll need to type your passphrase once more

openssl rsa -in mycert.pem -out newcert.pem

openssl x509 -in mycert.pem >>newcert.pem

from

http://www.madboa.com/geek/openssl/#key-removepass

Tuesday, April 12, 2011

Hudson and Ant

The following error was blocking all my Hudson builds

UNC paths are not supported.  Defaulting to Windows directory.

This was occurring after checkout, just as it starts to try and build

The problem was that I was building on a network drive, and this was causing problems. Solution is

1/ to map network drive to a lettered drive

2/ Set Hudson_Home to point to new directory. (export CATALINA_OPTS="-DHUDSON_HOME=/path/to/hudson_home/ -Xmx512m")

3/ Restart

  
At revision 11699
no change for https://svnServer/svn/AdminToolsWeb since the previous build
[workspace] $ cmd /c call "F:\My Documents\apps\apache-tomcat-7.0.4\temp\hudson6361.bat"
'\\c\USERS_HOME\khyland\.hudson\jobs\WAT\workspace'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported.  Defaulting to Windows directory.
  
C:\WINDOWS>f:\\apps\\ant.bat clean package 
Buildfile: build.xml does not exist!
Build failed
Finished: FAILURE