LOTUSCONNECTIONS.org

This is fun creating posts on my bb for my blog. All with the blackberry wordpress plugin from http://blackberry.wordpress.org

While my server suffered some (serious) downtime behind the scenes
I dove into the concept of RAID setups on Linux. I al ready had configured
a Software RAID used to save my precious data but had no clue
there were differences in RAID setups.

“That explained my config of this RAID, I configured my
onboard VIA VT6420 SATA RAID Controller with it’s menu to be a
RAID 1 controller and in Linux I configured this setup with Yast
to be a Software Raid 1 config.???? Yeah you know just do, don’t read.

I took this dive because my root disk was at the end of it’s life.
Smarctl -H didn’t gave me a pretty sight. just a failing hard disk.

Luckily I was able to rescue the most of my files that were
on the root disk only an openSUSE 11.2 installation and some config
files of apps. But I decided that I wanted my root disk
to be a RAID 1 setup as well.

I ordered two SATA disks and a SATA RAID 0/1 controller. Then my
mission started to get this setup working as a root disk.

Searching my way through Google about how to do this I discovered
that there are multiple options to create a RAID config on Linux.

The two relevant for my were:

Software RAID (Operating system based)

You can create a Software RAID you don’t need a RAID controller for
this config, so there I was looking good with my just bought RAID controller .

Fake-Raid (Firmware/driver-based RAID)

You can create a Fake-Raid setup by utilizing a Fake-Raid controller capabilities.

You can got loose on the whole RAID thing at wikipedia

http://en.wikipedia.org/wiki/Fakeraid

“Hardware RAID controllers are expensive and proprietary. To fill this
gap, cheap Fake-Raid controllers were introduced.”

I decided to go with the Fake-Raid solution, didn’t want my just-bought
RAID controller to be a waste of money, all though it only cost me 20 EURO
but it’s all about the principle .

Below a summary of all the things I had to do to let me 20 EURO
be a worthy investment.

Create a RAID 1 setup with the menu tool on the RAID controller.

Then create a file-system on the RAID 1 config.

To find out the device name of your RAID device use this command

# dmraid -ay
# ls -la /dev/mapper/

Then use cfdisk or fdisk or whatever partition program to create a file-system.

In my situation it was

# cfdisk /dev/mapper/sil_bgadaecebiea

To be able to boot from a Fake-Raid device you have to have
a initrd file which contains a driver which supports this.

From the man of mkinitrd

dmraid =Include support for Software-Raid over device mapper
              (known as Fake-Raid)
dm      = Include support for device mapper in general
md      = Include support for Software RAID (md)
kpartx = Include support for kpartx partitioning. Always use this
              if you have device mapper devices.

What was important for me, and something that I found out later
is that you can’t boot from a FakeRaid config and use a Sofware based
RAID device at the same time.

http://www.brandonchecketts.com/archives/disabling-dmraid-fakeraid-on-centos-5

“Both of the drivers will attach themselves to all the drives with
any partitions sets as type fd (Linux raid autodetect).”

Later on the road when I was able to boot from my FakeRaid root disk I
converted my Software RAID setup to a Fake-Raid as well.

Found out that creating a Fake-Raid capable initrd file on openSUSE
is a mission own it own.

http://en.opensuse.org/P35_With_SATA_Raid/

“Next we have to edit another file: /lib/mkinitrd/scripts/boot-dmraid.sh
(Note, that I don’t know the state, it was originally in)

you have to change the line that reads

/sbin/dmraid -a y -p

to

/sbin/dmraid -ay”

With all the trip/tricks/hints in mind my final mkinitrd commando looked liked this.

#mkinitrd -f “dm dmraid kpartx”

In order to be able to boot from a FakeRaid device I had to add the
following two parameters to my GRUB menu.lst and set root to my new
partition created.

root = /dev/mapper/sil_bgadaecebieap1
root_dm = 1
root_dmraid=1

kernel (hd0,0)/boot/vmlinuz-2.6.31.5-0.1-default root=/dev/mapper/sil_bgadaecebieap1 root_dm=1 root_dmraid=1 splash=silent agp=off clocksource=hpet 001 showopts

To install the GRUB bootloader on my RAID setup I had to create the following
device.map.

hertogjan:/boot/grub # cat device.map
(fd0)  /dev/fd0
(hd0) /dev/mapper/sil_bgadaecebiea

Then install GRUB

grub> root (hd0,0)
grub> setup (hd0)
grub> quit

And there you go if everything is working out for you you
should be able to boot from your Fake-RAID root disk.

Extra note:

It’s seems booting from a “broken” Fake-Raid on Linux is not supported
as can be read on this website at the bottom.

http://wiki.archlinux.org/index.php/Installing_with_Fake_RAID

“Booting with degraded array

One drawback of the fake RAID approach on GNU/Linux is that
dmraid is currently unable to handle degraded arrays, and will
refuse to activate.

In this scenario, one must resolve the problem from within another
OS (e.g. Windows) or via the BIOS/chipset RAID utility.

Alternatively, if using a mirrored (RAID 1) array, users may temporarily
bypass dmraid during the boot process and boot from a single drive:

 1. Edit the kernel line from the GRUB menu
 2. Remove references to dmraid devices
     (e.g. change /dev/mapper/raidSet1 to /dev/sda1)
 3. Append disablehooks=dmraid to prevent a kernel panic
     when dmraid discovers the degraded array
 4. Boot the system “

Sites already mentioned in the above story that were very
helpful in my attempt fixing this one.

http//www.brandonchecketts.com/archives/disabling-dmraid-fakeraid-on-centos-5
http://wiki.archlinux.org/index.php/Installing_with_Fake_RAID
http://www.texsoft.it/index.php?c=hardwareamp;m=hw.storage.grubraid1amp;l=it
http://en.opensuse.org/P35_With_SATA_Raid

So it seems, DB2 9.5 ESE 32 bits can’t be licensed on a Linux 32 bits server

http://www-01.ibm.com/support/docview.wss?rs=71&uid=swg21313828

So if you want to use DB2 9.5 ESE 32 bits for Linux in production you will have
to switch to the 64 bits version. That or go with one of the lower version
of the DB2 9.5 family like Workgroup Edition or Personal Edition.

http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/index.jsp?topic=/com.ibm.db2.luw.qb.server.doc/doc/r0023732.html

1. Only test and development are supported in DB2 Enterprise Server Edition and DB2 Text Search for Linux on x86-32 hardware.

Are there special licenses for test and dev environments? Because
either what the purpose is of your environment with a trial license
it will stop working when the end date kicks in.

Ray & Anita – In Da Name Of Love

In the Profiles part of Lotus Connections you can configure
multiple profile types, which will give you different lay-outs per type.

You can follow this InfoCenter link how to set it up.
Mitch Cohen also wrote a very detailed guide how to do it.

One thing I came about is how to populate the PROF_TYPE database
field in the EMPINST.EMPLOYEE table. This column is used to determine
what kind of profile type should be used for an user.

I discovered that you can use the following line in the
map_dbrepos_from_source.properties file to use a LDAP attribute
to populate the PROF_TYPE field. This option is not mentioned
in the InfoCenter of Lotus Connections.

PROF_TYPE=employeeType

(
or what LDAP attribute you want to use, but the field employeeType
looks pretty obvious to me :-p

employeeType is an attribute from the objectClass inetorgperson
)

With this config, the sync_all_dns.sh command will use the LDAP
field employeeType to fill the PROF_TYPE column in the
EMPLOYEE table of profiles. This also will keep the profile type
up-to-date if the employeeType LDAP attribute of a user should change.                                       

Below a script you can use to set the rights for every part of Connections correctly.

Handy to fix the rights after you have done an upgrade.

FILE ConfigureRightsActivities.py
 appName = ‘Activities’
 lcsearchadmin=’LCdev admin’
 lcadmin=’LCdev admin’

 AdminApp.edit(appName, ‘[ -MapRolesToUsers [ ["person" no yes "" ""] ["everyone" yes no "" ""] ["reader" no
 yes "" ""] ["search-admin" no no "'+lcsearchadmin+'" ""]  ["widget-admin" no no "'+lcadmin+'" "" ] ] ]’)
 print “done…. Configuring rights Activities EAR”
 AdminConfig.save()
!FILE

Run it as follow.

./wsadmin.sh -lang jython -port 8880 -username wasadmin -password udontneedtoknowthispunk -f ./wsadmin_scripts/configureRightsActivities.py

To do it for the other parts just change the appName var, be aware
that the roles between all the Connections parts differ. The Homepage
part for example doesn’t has the search-admin role.

Lotus Connections 2.0.1 Fix Pack 1 ( 2.0.1.1) has been released.

Check this URL for how to apply this one, and what ifixes are included in this big one ( 230 MB ).

Be aware that there are some additional steps besides installing the Fix Pack itself.

http://www-01.ibm.com/support/docview.wss?rs=3265&context=SSYGQH&dc=DB560&dc=DB520&uid=swg21386185&loc=en_US&cs=UTF-8&lang=en&rss=ct3265lotus

Also note that there is a new LotusConnectionsUpdateInstaller -> link. Don’t
know if you have to use this updateinstaller for this Fix Pack already or that
this one has been released for the ifixes after FIx Pack 1 for 2.0.1.

Currently there are already four new ifixes for the 2.0.1.1 version. Can’t give
any practical tips yet, cause I didn’t saw a change to apply this one.

When installing Lotus Connections one of the tasks is to make a secure trust
between the WebSphere server and the IHS server. To do this you have to
configure SSL in such a way that the signer of the SSL certificate of the
WebSphere server is known by the IHS server.

You have to export the signer of the SSL cert of the WebSphere server and
then import this into the plugin-key.kdb file of the IHS server (WASplugin).

The SSL signer of the WebSphere server is standard valid for one year, after
the SSL cert experies the SSL connection will break. In case when using
Connections if this happens you will see a 500 error instead or your
Connections pages.

To prevent this you can monitor the expiration date of the SSL cert of the
WebSphere server. To do this login to the WAS admin console of the
Connection server.

  Goto : SSL certificate and key management -> Manage certificate expiration

Disable these two options standing below, my experience is that this isn’t workiing
that good, and maybe I just want to control everything myself

  Automatically replace expiring self-signed certificates
  Delete expiring certificates and signers after replacement

Then goto

  SSL certificate and key management > Manage certificate expiration > Notifications > MessageLog

Check

  Message-log
  E-mail sent to notification list

Configure a mail address to sent the notification to and a SMTP server to use.

If this all is configured you will receive a mail every number of days that you have
configured in Expiration notification threshold attribute on the previous page.

For this to take effect you don’t have to restart the WebSphere server.

If it is time to renew you WebSphere cert you could do it this way.

Shutdown the WebSphere server

Startup the ikeyman utility on the WebSphere server
/opt/IBM/WebSphere/AppServer/bin # ./ikeyman.sh

Open the key.p12 SSL file remove the one with the label of default under Personal
certificates, and create an new Self Signed Certificate with the same label of default.

Then choose the Extract certificate button, and save it as an ARM file. Then you can
choose to import it into the trust.p12 yourself or let WebSphere take care of this.
When you start WebSphere it will automaticaly see that the cert in
the key.p12 is not in the Signer Certificates list of the trust.p12 file and will add it self.

As a last step you have to import the exported ARM file into the Signer Certificates
list of the plugin-key.kdb SSL kdb file. Just grep your ikeyman and get it done, do
a restart of the IHS server for the changes to take affect directly and you are save again.

ps. Currently doing some work with Sametime Gateway 8.0.2 and the Hotfix 1 for OCS
integration. Sametime Gateway then requires WAS fixpack 6.1.0.23, looks like they
changed the expiration dates from one year to fifteen years.

More info

IBM WebSphere Developer Technical Journal: SSL, certificate, and key management enhancements for even stronger security in WebSphere Application Server V6.1

After three weeks of down-time my website finally is back on the net.

My ISP (Telfort) messed something up therefor I lost my internet connection.
Because I host my server @home my website also was unreachable for
three weeks.

As an extra suprise my IP was changed so I also had to change my DNS
entries, something I found out after a few days.

But eh were back now