Introduction to External Security Manager

The WebSphere Portal Server allows you to use external security manager such as Tivoli Access Manager or Netegrity's Siteminder for managing both authentication and access control (Authorization) for portal resources. WPs ships which authorization adapters for Tivoli Access Manager and Netegrity Siteminder.

Portal access control lets you put individual subtrees of the protected resource hierarchy under external protection. For example using the Resource permissions portlet you can select a resource and change its externalization state. As a result the selected resource and all resources contained in the subtree rooted at this resource are either put under external access control or brought back in to be protected by portal internal access control control depending on the specific externalization state chosen. Inheritance always stops between resources that have different externalization state.

This means that each resource is either exclusively protected by portal access control or by the external system. WHen you put a resource under external security manager, portal will still take care of making sure that user is able to perform only those actions for which role is assigned to him, only thing that will change is that mapping between roles and user/groups is managed through the external authorization system.

Role Blocks

Role blocks prevent inheritance through the resource hierarchy.

Two kinds of role blocks exist:

  1. Inheritance blocks: prevent a resource from acquiring role assignments from parent resources. Visualize this as inserting a block above the resource.

  2. Propagation blocks: prevent a resource from extending role assignments to child resources. Visualize this as inserting a block below the resource.


Photobucket

There could be situations where you dont want user to inherit roles. Ex. In this diagram Bob has Editor Role on Market News Page and because of inheritance he will get Editor role for both Eurpoean Market News Page and USA Market News Page. If you want you can block his role inheritance at European Market News Page, so that he does not get Editor role for either Eurpoean Market News Page or pages below it.

You can block roles using Resource Permissions Portlet like this
Photobucket

In this i am blocking Editor Role from being inherited from its parent. Similarly if you want to make John Doe editor of "Parallel Rendering Portlet" page you can un check Allow Propagation check box for Editor role

A role block is role type specific and tied to a specific resource. For example, an inheritance block for roles of type Editor on the Europe Market News page ensures that the Europe Market News page does not inherit any Editor role assignments from its parent resource, the Market News page. This role block does not affect inheritance of other role types. For example, Manager roles are still inherited. So, all users with the Manager@Market News Page role inherit the Manager@Europe Market News Page role unless a separate role block for the Manager role type exists.

Role blocks for roles of type Administrator and Security Administrator can only be inserted or removed through the XML configuration interface. For example, if Mary has the Administrator@Market News Page role, and the USA Market News Page is a child of the Market News Page, Mary automatically has the Administrator@USA Market News Page role. The Administrator@USA Market News Page role cannot be blocked with an inheritance or a propagation block set through the Portal Scripting Interface, or the User and Group Permissions or Resource Permissions portlets

All role types (including the Administrator and Security Administrator roles) are automatically blocked for the following types of resources:

  • Private pages

  • Externalized resources that have an internal parent resource

  • Internal resources that have an externalized parent resource


For example, if access to the Market News page is controlled internally by WebSphere Portal , and the USA Market News Page is controlled externally by IBM Tivoli® Access Manager for e-business, none of the roles on the Market News Page are inherited by the USA Market News Page. So, if Mary has the role Editor@Market News Page, she does not automatically get the role Editor@USA Market News Page because the USA Market News page is managed externally. If both the Market News page and the USA Market News page are managed externally (or if both are managed internally), Mary inherits the role Editor@USA Market News Page unless a role block is used. In general, there is never any inheritance between two resources that differ in their externalization state. In other words, an externally protected resource never inherits from an internally protected resource and vice versa.

Role Assignment

WPS provides flexible role assignment. Ex. Lets say you want to assign Privileged User rights for Lotus Notes portlet so that he can change his Lotus Notes related preference, this does not mean that you would have to give him Privileged user rights at portal level, instead you can assign him those rights only for Lotus Notes portlet.

In case of WPS you can assign user roles at particular root level. What that means is if you assign Editor rights to John Doe for Marketing Page then he will get that rights for Marketing page as well as all the pages under marketing. Similarly if you assign Privileged role to John Doe for Portlet Application then he will get Privileged User rights for all the portlets in that particular portlet application.

If you want you can also assign a role to user at portal level. Ex. If you want make John Doe administrator of portal then you can go to Resource Permissions Portlet and click on Virtual resources -> Portal and assign Administrator role to John Doe.

Roles and Role types

In WPS you can asssign a particular role to user for particular resource. What that means is your saying that user can perform set of operations on protected resource. There are two ways in which you can assign permissions to user, first is either you assign it to user directly(implict) or you assign those permissions to a group and user is part of that group(explicit). The set of permissions granted to specific user is defined by the union of all permissions contained in all explicitly and implicitly assigned roles of this user.

The WPS server defines following role types

  • User: Viewing portal content.

  • Privileged User: Viewing portal content, personalizing portlets and pages and creating new private pages

  • Contributor: Viewing portal content and creating new resources. The contributor role type does not include the permissions to edit resources. It only allows you to create new resource

  • Editor: Creating new shared resources and configuring existing resources that are used by multiple users.

  • Manager: Creating new shared resources as well as configuring and deleting existing resources that are used by multiple users

  • Security Administrator: Creating and deleting role assignments on resources. Being assigned Security Administrator role at some resource means that the user shall be allowed to act as a delegated administrator for that resource, in other words the Security Administrator on a resource is allowed to delegate a subset of their privileges on the resource to other people according to the Delegated Administration Policy. For example, a user who is assigned Security Administrator and Editor role on a resource can assign this Editor role to other people provided he has Delegator role on those people. Having the Security Administrator role on a resource alone does not give view or edit access to the resource.

  • Administrator: Unrestricted access on resources. This includes creating, configuring, and deleting resources. Administrators can also change the access control settings on resource; in other words grant other people access to those resources.

  • Delegator: Assigning the Delegator role to principals (users and groups) allows roles to be granted to them. Having the Delegator role on other resources, such as specific portlets, is not useful. The set of roles that can be granted to those principals is defined through the Security Administrator and Administrator role types. For example a user has a Delegator role on the SalesTeam user group but no Delegator role on the Managers user group, so this user can grant roles only to the SalesTeam or individual members of the SalesTeam user group but not to the Managers user group. Having the Delegator role on a resource does not give direct access to the resource. The purpose of the Delegator role type is to allow the granting of roles to users or groups, so assigning Delegator role on resources or resource types that are not users or user groups will not grant those users additional privileges.


The roles are arranged in hierarchy

Photobucket

Each role type extends the privileges contained in the role types directly beneth it in the hierarchy. Ex. Contributor can do everything that User can do and Editor can everything that both Contributor and User can do.

Protected Resource

In order to make management of actions simpler the portal server has arranged the resources in hierarchy i.e. Lets say you have a Portlet Application that contains 5 Portlet, you want John Doe to act as manager or all those 5 portlets so instead of going and adding John Doe as manager for each of the portlet you can go and add him as manager or the Portlet Application (Portlets are children of the portlet application).

Photobucket

The vast majority of the resources within this hierarchy represent portal resource instances that require access control protection (such as individual portal pages or portlets); but some of them are special virtual resources.

Virtual resources are used in two ways:
1. They guard sensitive operations that do not affect specific resource instances as such but the whole portal or a whole portal concept. For example, the virtual resource XmlAccess is used to protect the ability to use the XmlAccess configuration tool.
2. They group resources of the same or related resource types. For example, the virtual resource Content Nodes is the root node of all pages (resource instances of resource type Content Node) within the portal page hierarchy

Introduction to Portal Access Control (PAC)

Portal Access Control is single decision point within the WebSphere Portal Server. It controls access to all the protected resources.

The Portal server has a concept of protected resource Ex. Portlet, Page, Xmlaccess,.. Portal defines set of actions that can be performed on the resource Ex. Creating a page, deleting a page, updating a page,... In order to control what all actions a user can perform on resource portal has introduced concept of role. Ex. User role means you can perform only read action and admin role means you can perform read, add, update and delete action. So when you want a user John Doe to only view particular page but not update and delete the page then you should assign User role to him for that page. But if you want user John Doe to be able to update and delete page then you should assign him Manager role which allows him to perform update, delete actions on that resource.

User registry and Member Repository

In the context of WAS a user registry stores all user and group data, including user ID and password, other group attributes and user and group member information, etc. The WebSphere Application Server supports three types of user registries

  • Local Operating System

  • Lightweight Directory Access Protocol(LDAP)

  • Custom user registry


Within WPS only LDAP and custom user registries are supported, not the Local Operating System, this is because of the configuration of the Light Wight Third-Party Authentication (LTPA) mechanism used in Single Sign On

In the context of WebSphere Portal and Member Manager, a member repository is the store
for user profile data and the group data, and their membership information. Two different
terms (user registry and member repository) are used because it is possible for the
datastores to be different. For example, when the portal server requires application specific
user attributes that are not available in LDAP server, the administrator can opt to use the
Look-Aside mechanism provided by WebSphere Member Manager. Thus the member
repository has the extension in the LookAside database tables. In most cases, however, the
user registry and member repository are in the same datastores.

WMM supports three types of member repositories,

  • database

  • LDAP

  • Custom member repository



WMM has provided its own Custom User Registry(CUR) implementation(Custom the Custom User Registry API provided by WAS) to be used in the configuration of application server. The WMM provides two repository implementations

  • com.ibm.websphere.wmm.registry.WMMUserRegistry : If you enable security to and your using LDAP as user repository then the User registry type would be set to Custom and name of the custom registry class name would be com.ibm.websphere.wmm.registry.WMMUserRegistry

  • com.ibm.ws.wmm.db.DatabaseRepository:.



When a customer user registry (CUR) is developed by the customer, a corresponding custom
member repository (CMR) must be coded for configuring WMM. The CMR API is private and
unpublished. To obtain this API, IBM support must be contacted and an non-disclosure
agreement must be signed.

The security of an out-of-box installation of version 6 WebSphere Portal is enabled with the
WMMUR DB option based on the embedded version of IBM Cloudscape Database. The idea
is for the administrator to have a working system right after the installation.

WebSphere Member Manager Unique Id

Every member managed by Member Manager requires a unique identifier, that allows a member profile to be easily retrieved. Member manager provides two types of unique identifiers


  • memberDN is a distinguished name of member convenient for identification and display purpose. The memberDN is unique and may be changed and reused (i.e. after a member is deleted from WMM a new member can be created and reuse the memberDN of the deleted member). An example of memberDN for Jane Doe is uid=janedoe,ou=people,ou=sales,o=acme.com


  • memberUniqueId is unique static and never reused. That is, once a memberUniqueId
    for a member is created, the value of that memberUniqueId will not be changed and even
    if the member is deleted. The memberUniqueId can be mapped to a unique attribute in LDAP server.



The memberDN therefore uniquely identifies a member at a single point in time while the
memberUniqueId, due to its characteristic of never being reused, uniquely identifies a
member over time. When an application, such as WebSphere Portal, uses Member Manager, the application may have its own application-specific repository for data that is related to the member in Member Manager. This means the application needs a linkage for the data of a member managed by Member Manager and its own application-specific data for the same member. Since the memberDN may be changed and reused, in general it is not suitable to be used as the linkage. However, memberUniqueId, which is unique, static, and never reused, is suitable to be used as the linkage. In WPS the member unique identifier is called external ID or extId. The Portal Access Control utilizes extId as the primary key in permission database tables, linking the user and groups to the access control data.

Introduction to WMM

Portal server uses WebSphere Member manager (WMM) for its user and group management through an abstract layer called Portal User Management Architecture (PUMA).WMM supports four types of members Person, Group, Organization Unit and organization. Each member has profile that describes its characteristics within the system. The Portal server access control mechanism understands only two types Person and Group

WMM provides these functionality

  • A Common mechanism to access member profiles that are made of attributes regardless of where and how the data of member profile is stored.

  • A set of services to manage profiles such as create, read, update, remove and search members in profile repository.

  • Group Management: Assigning members to group or removing members from group and querying group membership.

  • A database profile repository adapter to interact with a database profile repository. The database should follow the schema defined by WMM. The database adapter is referred to as wmmDB

  • LDAP profile adapter to interact with LDAP servers. The LDAP adapter is referred to as wmmLDAP. The wmmLDAP is abstraction layer and there is a adapter module for each type of supported LDAP.


Optionally you can use a look-aside profile registry adapter to interact with a look-aside repository which is database confirming to schema defined by WMM. The look aside repository is used for storing user attributes that cannot be stored in LDAP, reasons couldbe LDAP might be readOnly and you dont want to change schema of LDAP. The adaptor for lookaside is referred to as wmmLookAside. Although you can technically use wmmLookAside in conjunction with wmmDB repository it is likely unnecessary since all functionality supported by the wmmLookAside is also supported by wmmDB

How does the websphere portal server picks default page

Someone asked me a question that how does WebSphere portal decides the first page that should be displayed to the user after login and can i change that page/ or display my own page

Answer is yes you can change the page. The way it works in case of websphere portal is all the pages, labels are arranged in the hierarchical manner. The Content Root (unique id wps.content.root) is the root of the hierarchy. When you install websphere portal the content root would have these 2 as first 2 labels as children

  1. Home(ibm.portal.Home)This site area contains pages that are displayed to the end user. Home is label and it will have children pages like Welcome, Getting Started by default and welcome page is displayed to the user as soon as he logs in

  2. Administrator(ibm.portal.Getting Started): A label containing pages with portlets used by portal administrators.



The way WPS works is it will take the read the first children if that children is a label it will read its first child and use it as default page after login if that is a page.
If you want to dispaly your custom portal page then either you can create your custom home page as first child under ibm.portal.Home or you can create your own label as first child Content root and add your custom page as first child.

If you add your Custom Label or Custom Page under Content root then it will displayed in the Menu that is launched by clicking on Launch button.

Admin commands for managing LDAP Server

I did installed IBM Tivoli Directory Server 6.1 as User Repository for my WPS. These are the basic admin commands that i need to execute for managing my server
Starting IDS

  1. Go to /opt/IBM/ldap/V6.1/sbin

  2. Execute ./idsslapd -I idsinst


Stopping IDS

  1. Go to /opt/IBM/ldap/V6.1/sbin

  2. Execute ./idsslapd -I idsinst -k



Second approach is starting the Admin Console and starting and stopping LDAP server from there. But when i try to start the server it throws error

Using log.properties file

By default the Websphere Portal Server writes debugging trace message in same file as that of WebSphere Application Server. But if you want you can change it so that the debugging trace information generated by WebSphere Portal Server goes to separate file.
In order to enable this feature you will have edit /shared/app/config/log.properties file which looks like this by default

#
# Specifies if WebSphere Portal Server writes to the WebSphere Application
# Server log files or uses its own log file.
#
# Default: true
useAppServerLog = true
#
# The name of the WebSphere Portal Server's log file.
# This setting is ignored if the WebSphere Application Server's log files are
# used.
#
# The following tokens are replaced by the corresponding values:
# $APPSERVER_NAME The name of the WAS node, this should be used for vertical
# clusters to enforce that the different nodes write into
# different files or directories
# $CREATE_TIME The time a file was created
#
# Default: log/wps_$CREATE_TIME.log
logFileName = log/wps_$CREATE_TIME.log

In this file value of useAppServerLog property defines if you want portal to use different log file. By default it is set to true so portal server writes to trace.log file. If you set it to false(Means use differnet log file) then portal server will read value of logFileName property to find the location of log file where the trace messages should be written.

Once you make changes in log.properties file you will have to restart the server for these changes to take affect. After you restar the server the log generated by portal component such as PUMA log will go to seperate file.

Using Enable Trace portlet

You can enable trace for portal server component temporarily by going to WebSphere Portal -> Administration -> Enable Trace Portlet.
For example you want to enable trace for PUMA then you can go to enable tracing portlet and add these strings

com.ibm.wps.puma.*=all
com.ibm.wps.services.puma.*=all

Note one very important thing that whatever changes you make in Enable tracing portlet will take effect immediately and will be lost when you restart the server. It is same as making changes using the runtime configuration tab in WAS Admin Console

Now your enable tracing portlet should look like this
Photobucket

Once your done debugging your problem you can disable the tracing by deleting all the trace string except *=INFO

Utilizing log for troubleshootin

The WebSphere Portal Server uses System Event logging facility as logging framework Ex. Portal Server components such as Portal Aggregation engine, Personalization engine,, etc write to the System Event log. This facility is based on top of WebSPhere Application Server Trace facility. If your administrator then the System Event logging can provide you with information on abnormal events such as errors that occured during the operation of portal.

When you open a support request with IBM normally they will ask you to collect trace generated by system event logging from your system and send it to them. Ex. If your facing some problem in say registering new user or in the edit profile of existing user then they will ask you to collect trace for User Registry related PUMA component

The System Event log messages can be divided into two types

  1. Message Logging:WebSphere Portal Server provides the logging of messages that report errors and status information. The messages can be divided into ERROR, WARNING and INFO type

  2. Trace Logging:WebSphere Portal Express provides the logging of debugging messages called traces. These traces are useful for fixing problems. However, to save system resources, they are switched off by default.



The messages logging is enabled by default and it writes messages in the SystemOut.log and SystemErr.log. Ex if you go to enable tracing portlet and add additional trace string then it will write these messages to SystemOut.log

[/WEB-INF/jsp/ManageLogView.jsp]: Initialization successful.
[10/10/08 13:54:13:732 EDT] 0000008e ManagerAdmin I TRAS0018I: The trace state has changed. The new trace state is *=info: com.ibm.websphere.wmm.*=all:com.ibm.ws.wmm.*=all:WSMM=all:com.ibm.wps.services.puma.*=all.
[10/10/08 13:54:30:106 EDT] 0000008d ManagerAdmin I TRAS0018I: The trace state has changed. The new trace state is *=info: com.ibm.websphere.wmm.*=all:com.ibm.ws.wmm.*=all:WSMM=all:com.ibm.wps.services.puma.*=all:com.ibm.wps.puma.*=all.
[10/10/08 13:55:05:402 EDT] 0000007b ServletWrappe A SRVE0242I: [wps] [/wps] [/themes/html/IBM/mainMenu.jsp]: Initialization successful.


Enabling trace logging causes a performance impact so it is disabled by default. You can able the trace logging using the WAS Admin Console or Portla Admin Console. Normally when you enable trace logging you will enable it for particular java package or class. For example you want to debug problems related to User Profile creation and update so you can go to Portal Infocenter and find out name of the authentication related java packages in Portal Server and you will get these trace string.

com.ibm.wps.engine.*=all:
com.ibm.wps.services.puma.*=all:
com.ibm.wps.puma.*=all:
com.ibm.wps.sso.*=all:
com.ibm.wps.services.authentication.*=all


Once you have the trace string you can enable using one of the two methods

  1. Using WAS Admin Console

  2. Using Enable trace portlet

Modify default passwords for WebSphere Portal

The userid and password information for users is stored in underlying user repository (LDAP or cloudscape). So if you want to change password of the user you have two options
  1. Edit Profile Portlet Users can change their password using Edit Profile portlet. This is the only way of changing password if your using database as user repository. But if your using LDAP as user repository then make sure that the user that your using for binding to LDAP has write access
  2. Using LDAP Admin Tools:You can change the password directly in the LDAP either using the LDAP Admin tool, or one of the change/reset password tool provided by your organization
If your changing password for non admin user then you dont have to make any other changes. But if your changing password for PortalAdminId user then you will have to take some additional steps
  • You will have to change the password in configuration files like wpsconfig.properties. You can take alternate route by deleting passwords from configuration files. Execute WPSConfig.sh delete-password command to delete password from all the configuration files
  • Change password using Edit Profile Portlet or LDAP and then restart the Portal server.
  • When you restart the portal server you will notice that some of the applications failed to initialize. You should see errors like this in SystemOut.log
    [10/5/08 13:06:21:564 EDT] 00000037 ApplicationMg A   WSVR0200I: Starting application: LWP_Security_Ext[10/5/08 13:06:21:762 EDT] 00000037 EJBContainerI I   WSVR0207I: Preparing to start EJB jar: accessEJB.jar[10/5/08 13:06:21:814 EDT] 00000037 EJBContainerI I   WSVR0037I: Starting EJB jar: accessEJB.jar[10/5/08 13:06:22:056 EDT] 00000037 LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is WMM-UR: The password check for user security name "uid=wpsadmin,cn=users,dc=ibm,dc=com" failed. Root cause is: "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]"..[10/5/08 13:06:22:061 EDT] 00000037 MethodDelegat A   SECJ0055E: Authentication failed for uid=wpsadmin,cn=users,dc=ibm,dc=com. The user id or password may have been entered incorrectly or misspelled.  The user id may not exist, the account could have expired or disabled.  The password may have expired.[10/5/08 13:06:22:124 EDT] 00000037 LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is WMM-UR: The password check for user security name "uid=wpsadmin,cn=users,dc=ibm,dc=com" failed. Root cause is: "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]"..
    [10/5/08 13:06:22:136 EDT] 00000037 MethodDelegat A SECJ0055E: Authentication failed for uid=wpsadmin,cn=users,dc=ibm,dc=com. The user id or password may have been entered incorrectly or misspelled. The user id may not exist, the account could have expired or disabled. The password may have expired.

    Problem is the wpsadmin users password is stored in ibm-applicaiton-bnd.xmi file in XOR encoded format and this password does not get changed to new password. Follow Instruction in this tech note to fix this problem

Finding out Portal Version, Fixes installed

If you want to open a PMR with IBM support then you should also mention what is the version of the product that you have installed. Now question is how to figure out the current version of portal and what all fixes are installed in your environment. There are several ways to do that.1) From SystemOut.log file -> At the time of starting websphere portal server writes current version of the portal and names of the fixes installed in SystemOut. This is sample from my environment-------------------------------------------------------------------------------- IBM WebSphere Portal 6.0.1.4 Licensed Materials - Property of IBM 5724-E76 and 5655-R17 (C) Copyright IBM Corp. 2001, 2006 - All Rights Reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. -------------------------------------------------------------------------------- Build Level: wp6014_010_01 (2008-08-01 12:24) --------------------------------------------------------------------------------[10/4/08 1:10:34:486 EDT] 00000014 ProductServic I com.ibm.wps.services.product.ProductServiceImpl findInstalledFixes EJPFD0051I: The following fix packs have been installed: WP_PTF_6014 (IBM WebSphere Portal, Version 6.0.1.4 Fix Pack)[10/4/08 1:10:34:770 EDT] 00000014 ProductServic I com.ibm.wps.services.product.ProductServiceImpl findInstalledFixes EJPFD0053I: The following fix packs have been installed: PK65130 (Invalid transaction sequence error when administering composite applications) PK70764 (Incorrect Policy type error is not propogated to UI.) PK68128 (Fix for PK68128) PK68469 (XMLAccess does not maintain ObjectIDs of WSRP consumed portlets) PK70141 (UNABLE TO CREATE A DRAFT FROM PUBLISH CONTENT WITH WCM DUE TO JCR EXCEPTION. PROBLEM OCCURS WITH SQL SERVER 2005 ONLY) PK64433 ( RCSS - Support displaying scope locations label in Manage Search admin portlet) PK70179 (ReleaseBuilder does not remove skinref definitions) PK68184 (Theme Policy Tracing needs improvement) PK68030 (Siteminder prevents managepages search URL being accepted) PK68278 (Improve hash code computation for ObjectIDs of migrated resources) PK68669 (Memory leak in XMLAccess)
2) There are some command line utilities that you can use
  1. portal_base/bin/WPVersionInfo.sh: This command will print current version of portal on as output on command line. You can use it for finding it out the fix pack or portal version level Ex. 6.0.1.4. This utility does not specify name of the individual fixes ex. PK68278 installed in your environment
  2. portal_base/bin/genVersionReport.sh: This command will generate a html report in your bin directory. This html file will list all the fix packs and fixes that are installed in your environment along with the time of installation. Take a look at sample versionReport.html
  3. portal_base/bin/genHistoryReport.sh: This command will generate a html report in your bin directory. This html file will list all the fix packs and fixes that are installed/uninstalled in your environment along with the time of installation/uninstallation. This file provides you good feedback on what fixes you installed and then uninstalled. Take a look at sample historyReport.html

Troubleshooting installation issues

The WebSpher Portal server generates log files in four different locations during installation. If your installation fails for some reason, the you will have to figure out which step did installation fail and based on that look into corresponding log files to get more details about failure
  1. WAS_ROOT\logs\install: Has log files generated during the WebSphere Application server installation and profile creation
    1. log.txt: Contains the trace information generated during the installation of WebSphere Application Server. Check this log if you have problems with the installation of WebSphere Application Server

  2. WPS_ROOT\log directory has the log files generated during the WebSphere Portal Server configuration.
    1. wpinstalllog.txt: Contains the trace information that was generated during the installation of websphere portal server. Check this file if WebSphere Portal Server installation stops before successful completion
    2. installmessages.txt: Contains messages that are generated during installation. The messages in this file are translated for the language that is specified during installation. Check this log for errors generated during installation.
    3. LocalizeTrace.archiveX.log,: LocalizeTrace.archive1.log to LocalizeTrace.archive5.log files are generated during the archive installation/fixup.
    4. responselog.txt: Installation response file. Irrespective of how you install WebSPhere Portal, the portal server installation program would collect all the user responses and such as location of WebSphere Portal Server installation directory, WAS installation directory,.. and save them in responselog.txt file. You can check this file to verify your inputs on wizard or console
  3. WPS_PROFILE_ROOT\log directory has the log files that were generated during
    1. wpinstalllog_base.txt:Contains trace information that is generated by the installation program. This file contains a copy of wpinstalllog.txt prior to the launch of the installation program, which then deletes wpinstalllog.txt.Check this log if the WebSphere Portal installation onto a WebSphere Application Server base profile stops before successful completion.
  4. Temp directory: The installation program generates log files in temp directory before actual installation starts and the portal installation directory structure gets created.
    1. installtraces1.txt installtraces2.txt installtraces3.txt :Contain trace information generated by the dependency checking function. Output is added to installtraces1.txt until it reaches a predefined size, at which point output goes into installtraces2.txt and then into installtraces3.txt. When installtraces3.txt is full, output reverts to installtraces1.txt and overwrites previous trace information.Check these files if there are problems with component discovery and dependency checking.

Dynamic Caching

Caching is common requirement for J2EE application. If you want to cache a common object, that will be available across different servers of cluster then you should think about Dynamic Caching service provided by WAS.
Attaching a DynaCacheSamplePortlet that has sample on how to use dyna cache.

Parallel Rendering of Portlet Sample

Attaching sample potlet application that you can use for playing with Parallel Rendering of portlet. First Install PrallelRenderingTest.war file as portlet application. It has 4 portlets. Add all of them on one page say Parallel rendering Test Page.
In the sample portlet i am printing name of the current thread and for parallel rendering 1 and 2 portlet i have Thread.sleep() statement to put current render() request in sleep.
When you try to access the Parallel rendering test page you should see output like this[9/26/08 6:15:33:549 EDT] 000000ab SystemOut O Entering ParallelRenderingPortlet1 WebContainer : 6 Fri Sep 26 06:15:33 EDT 2008[9/26/08 6:15:35:164 EDT] 000000ab SystemOut O Exiting ParallelRenderingPortlet1 Fri Sep 26 06:15:35 EDT 2008[9/26/08 6:15:35:170 EDT] 000000a9 SystemOut O Entering ParallelRenderingPortlet 2 WebContainer : 6 Fri Sep 26 06:15:35 EDT 2008[9/26/08 6:15:38:673 EDT] 000000a9 SystemOut O Exiting ParallelRenderingPortlet 2 Fri Sep 26 06:15:38 EDT 2008[9/26/08 6:15:38:677 EDT] 000000a9 SystemOut O Entering Sequential rendering portlet 2 WebContainer : 6 Fri Sep 26 06:15:38 EDT 2008[9/26/08 6:15:38:677 EDT] 000000a9 SystemOut O Exiting Sequential rendering portlet 2 Fri Sep 26 06:15:38 EDT 2008[9/26/08 6:15:38:681 EDT] 000000a9 SystemOut O Entering Sequential rendering portlet 1 WebContainer : 6 Fri Sep 26 06:15:38 EDT 2008[9/26/08 6:15:38:681 EDT] 000000a9 SystemOut O Exiting Sequential rendering portlet 1 Fri Sep 26 06:15:38 EDT 2008As you can see the Thread Name for all 4 portlets is WebContainer : 6.
Now enable the parallel rendering at portla server level and at the portlet container level and try to access the page again[9/26/08 6:26:10:246 EDT] 000000ab SystemOut O Entering ParallelRenderingPortlet 2 WorkManager.wpsWorkManager : 0 Fri Sep 26 06:26:10 EDT 2008[9/26/08 6:26:10:295 EDT] 000000a7 SystemOut O Entering ParallelRenderingPortlet1 WebContainer : 4 Fri Sep 26 06:26:10 EDT 2008[9/26/08 6:26:25:296 EDT] 000000a7 SystemOut O Exiting ParallelRenderingPortlet1 Fri Sep 26 06:26:25 EDT 2008[9/26/08 6:26:27:306 EDT] 000000a7 AbstractRende E com.ibm.wps.pe.ext.render.AbstractRenderManager performService EJPPG1110E: A timeout occurred when reading the output for portlet window Control (ParallelRenderingPortlet2, [ObjectIDImpl '7_32DSUKG100GBC027P3ULPA00G0', NAVIGATION_NODE, VP: 0, [Domain: rel], DB: 0000-4334EE290C00C0C5803879F89A150010], [ObjectIDImpl '6_32DSUKG100GBC027P3ULPA0000', CONTENT_NODE, VP: 0, [Domain: rel], DB: 0000-4334EE290C00C0C5803879F89A150000], 200 that is rendered in a parallel thread. The portlet output will not be displayed. [9/26/08 6:26:45:244 EDT] 000000ab SystemOut O Exiting ParallelRenderingPortlet 2 Fri Sep 26 06:26:45 EDT 2008[9/26/08 6:51:27:264 EDT] 000000a7 SystemOut O Entering Sequential rendering portlet 2 WebContainer : 4 Fri Sep 26 06:51:27 EDT 2008[9/26/08 6:51:27:265 EDT] 000000a7 SystemOut O Exiting Sequential rendering portlet 2 Fri Sep 26 06:51:27 EDT 2008[9/26/08 6:51:27:334 EDT] 000000a7 SystemOut O Entering Sequential rendering portlet 1 WebContainer : 4 Fri Sep 26 06:51:27 EDT 2008[9/26/08 6:51:27:334 EDT] 000000a7 SystemOut O Exiting Sequential rendering portlet 1 Fri Sep 26 06:51:27 EDT 2008
As you can see Parallel Rendering Portlet 2 was called in WorkManager.wpsWorkManager : 0 where Parallel rendeing portlet 2 was called in WebContainer :4 thread, sequential portlet 1 and 2 were also called in WebContainer :4 thread.
You can also see "A timeout occurred when reading the output for portlet window Control" message in the SystemOut.log that message is because Parallel rendering portlet 2 is sleeping for 35000 milliseconds which is more than the parallel rendering timeout value. So the WPS server will abort rendering of Parallel Rendering 2 portlet and write this message in log. On the user output side it will render output of all 3 portlets except Parallel rendering portlet 2 and for that portlet it will display error message to the user.
The PortletContainer Service Link has further information about parallel rendering

Parallel Rendering of Portlet

By default the WebSphere Portlet tries to render all the portlets on page sequentially. For example if you have 4 different portlets on one page, then websphere portal will create one thread for handling the request and call render() method of each of the portlets sequentially one after another. So the total response time is Sum of execution time of all the portlets. One important point to remember is that result page wont get displayed to user until render() method of all the portlets is finished
This is acceptable behavior in most of the cases but what if you have a portlet that accesses a database/ file system and takes long time to get result in that case the page my timeout. Example one of my client had a issue that when they the portal was serving blank white page. When we debugged the issue we realized that one of the portlets was trying to access a db process which for some reason was taking very long time and as a result the Connection from ODR to Portal server was getting timed out and as a result user was getting blank page. In the same case if you try to access the portal directly then it used to take long time but it used to display output finally.
In cases like this you might want to enable parallel rendering. When you enable parallel rendering the portal server will try to create different threads and call render() methods of the portlet from different threads in parallel. One other advantage of this approach is you can set a time out by default it is 2000 milli seconds. The portal server will wait for this time and if the render() method does not finish executing in that time, the portal server will ignore that portlet and display rest of the page. Make sure that this timeout is less than your ODR or Http Server Connection timeout so that portal server does not show blank page to user.

Enabling Parallel rendering


By default the parallel rendering is disabled and you will have to enable the parallel rendering first globally at portal server level then you have to enable it at portlet level. When you enable parallel rendering at portal server level it will not open different threads for each of the portlets on the page instead it will render only portlets that have parallel rendering enabled in separate thread and other portlets on the page are still rendered sequentially.
Second important point to note is that enabling parallel portlet rendering is just a hint to WPS and it is not necessary that WPS will create separate thread for each of the portlets that are enabled for parallel rendering. It is recommended that do not enable parallel rendering for every portlet instead enable it for the portlets which really need them ex. Portlet which needs to access external resource that might take time and WSRP consumer portlet. This way WPS can use the separate threads more efficiently.

Enabling Parallel rendering at the level of Portal Server



You can change the portal wide settings for parallel portlet rendering in the PortletContainerService. You can use two different parameters for configuring parallel portlet rendering, depending on the type of portlets you want to have rendered parallel.
1)For IBM portlets enable the following parameter

legacy.useParallelRendering.html=true

2) For standard portlets or for remote portlets that you integrated in a WSRP Consumer portal, enable the following parameter

std.useParallelRendering.html=true

Please note that .html part is optional which says that enable parallel rendering only for HTML markup. In markups like WML there would be only one portlet on page so parallel rendering does not make sense
In addition there are couple of more parameters that you can set at PortletContainerService level

  • parallelRenderingTimeOut:Use this parameter to specify the timeout in milliseconds after which the render process of a portlet is aborted. Default value is 2000(2 seconds)

  • parallelRenderingWaitTimeOut:Use this parameter to specify the waiting time in milliseconds for parallel threads to finish the render process of portlet. A low value can result in exceptions caused by portlets that could not finish their parallel rendering process. A high value can cause an increase of the response time. The value 0 (zero) specifies that no timeout occurs and the main thread waits for all portlets to finish.

  • parallelRenderingWaitTimeOut:Use this parameters to specify the waiting time in milliseconds for parallel threads to finish the render process of portlets. The default is 1 millisecond. A low value can result in exceptions caused by portlets that could not finish their parallel rendering process. A high value can cause an increase of the response time. The value 0 (zero) specifies that no timeout occurs and the main thread waits for all portlets to finish.

  • parallelRenderingChunkSize:Specifies the size of the chunks in bytes that are read from the queue. The default value is 1024 bytes.


Enabling Parallel rendering at portlet level


Once the parallel rendering is enabled at portal level. You can enable it at portlet level. There are different methods for doing that depending on your role

  • Developer: If your portlet developer then you can enable the parallel rendering by using the the following parameter. You set this parameter as a configuration parameter in IBM portlets or as a read-only preference in standard portlets.parallel = (false)

  • Administrator: If your administrator you can change the setting for a portlet to parallel rendering in the Manage Portlets portlet.


Proceed by the following steps:

  1. Select Portal Administration > Portlet Management > Portlets.

  2. Select the desired portlet and click on the Configure (wrench) icon. The portal displays the panel for configuring the portlet.

  3. Mark the Enable parallel rendering checkbox to enable parallel rendering for the portlet.


When you enable a portlet for parallel rendering it should look like this.



Take a look at Infocenter for more information on Parallel portlet rendering

Creating VMWare Image for WebSphere Portal

In order to prepare for my WebSphere Portal Server 6.0 Admin Test, i thought first i will create a VMWare image and then i will use it for all my experiments without disturbing my Windows Machine Laptop setup. This allows me to try lot of things without going through uninstall/install cycle
I am following these steps for setting up the VMWare Image
1) Download the CentOs 5.2 VMWare Image from http://www.thoughtpolice.co.uk/. The CentOS is free and based on Red Hat Linux and it is very user friendly
2)After downloadig the VMWare Image unzip it on disk and start it. On the first startup it will ask you for initial setup things like timezone,..
3) Once the OS is started you can login using root/thoughtpolice password.
4) It will show you list of updates that are avilable for the CentOS, i decided to apply all the updates and restarted system.
One issue with CentOS is by default it has only 8 GB disk which is not sufficient for portal installation. So i used http://www.matttopper.com/?p=25 instructions in this article to add a new disk of 12 GB to a my Cent OS virtual machine. At this point also change the Memory size of the VMWare to 2 GB(You will need this when you try to apply fixpack to WPS). I also made changes in the .bashrc to add "ulimit -n 10240" line

Installing WPS

Note that you wont be able to use wizards for installing WebSphere Portal or applying WAS or WPS fix packs on CentOS 5, it keeps complaining about missing libraries. So i had to use -console option for installing WPS and then change response files and use them for installation. I like that approach now because the response files have nice description for each of the options and its good learning experience.

Preparing Cent OS for WPS

After Installing WPS i tried to install a sample portlet but whenever i used to go to Manage Portlets Portlet it was throwing some this cryptic exception[9/25/08 13:35:15:837 EDT] 00000044 ServletWrappe E SRVE0014E: Uncaught service() exception root cause /WEB-INF/jsp/html/webModuleList.jsp: java.lang.NoClassDefFoundError: com/ibm/psw/wcl/components/marquee/WMarqueeInitially i thought this might be because of some missing jars but it turns out that the OS is missing some packages so i had to follow these instructions
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.express.doc/info/exp/ae/tins_linuxsetup_rhel5.html
If you want to install compat-libstdc++-33-3.2.3-61 package then executeyum install compat-libstdc++-33-3.2* command and CentOs takes care of downloading and installing the package