iT邦幫忙

2022 iThome 鐵人賽

DAY 22
0
DevOps

30天WebSphere入門及經驗分享系列 第 22

D22/WeSphere掛掉了/無法使用console

  • 分享至 

  • xImage
  •  

今天電腦重開機,重啟was的container,要登入console時發現
https://ithelp.ithome.com.tw/upload/images/20221007/20128973yC59an3BH1.png
壞了
https://ithelp.ithome.com.tw/upload/images/20221007/201289737E1XpUo08T.png
雖然console壞掉,但掛在上面的程式還是能正常運作
https://ithelp.ithome.com.tw/upload/images/20221007/20128973yYVjACKs3n.png

合理懷疑應該是之前調整SSL設定導致的

但是要還原設定,卻又沒辦法從console去做操作怎麼辦呢?

這邊我先下指令建一個新的環境

docker run --name test-was2 -p 9043:9043 -p 9060:9060 -p 9080:9080 -p 9443:9443 -d ibmcom/websphere-traditional:8.5.5.20

重建一個container,把舊的刪掉就好了

登入新的console ,
左側選單 > SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings
https://ithelp.ithome.com.tw/upload/images/20221007/20128973iCgJck6XJE.png
來到QoP頁面
https://ithelp.ithome.com.tw/upload/images/20221007/20128973zJiEziMeaN.png
可以看到畫面右方有個View administrative scripting command for last action

點擊後跳出視窗
https://ithelp.ithome.com.tw/upload/images/20221007/20128973Ethle5beV1.png
這裡會列出我們在console上所做的動作對應的jython指令

AdminTask.getSSLConfig('[-alias NodeDefaultSSLSettings -scopeName (cell):DefaultCell01:(node):DefaultNode01 ]')

AdminTask.listSSLCiphers('[-sslConfigAliasName NodeDefaultSSLSettings -scopeName (cell):DefaultCell01:(node):DefaultNode01 -securityLevel HIGH ]')

我在console上調整protocol,小視窗也對應的顯示一樣動作的指令

AdminTask.modifySSLConfig('[-alias NodeDefaultSSLSettings -scopeName (cell):DefaultCell01:(node):DefaultNode01 -keyStoreName NodeDefaultKeyStore -keyStoreScopeName (cell):DefaultCell01:(node):DefaultNode01 -trustStoreName NodeDefaultTrustStore -trustStoreScopeName (cell):DefaultCell01:(node):DefaultNode01 -jsseProvider IBMJSSE2 -sslProtocol SSL_TLSv2 -clientAuthentication false -clientAuthenticationSupported false -securityLevel HIGH -enabledCiphers ]')
AdminTask.modifySSLConfig('[-alias NodeDefaultSSLSettings -scopeName (cell):DefaultCell01:(node):DefaultNode01 -keyStoreName NodeDefaultKeyStore -keyStoreScopeName (cell):DefaultCell01:(node):DefaultNode01 -trustStoreName NodeDefaultTrustStore -trustStoreScopeName (cell):DefaultCell01:(node):DefaultNode01 -jsseProvider IBMJSSE2 -sslProtocol SSL_TLSv2 -clientAuthentication false -clientAuthenticationSupported false -securityLevel CUSTOM -enabledCiphers "SSL_DHE_DSS_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA256 SSL_DHE_DSS_WITH_AES_256_GCM_SHA384 SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_RSA_WITH_AES_128_CBC_SHA SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_RSA_WITH_AES_256_CBC_SHA SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA256 SSL_RSA_WITH_AES_128_GCM_SHA256 SSL_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA256 SSL_RSA_WITH_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" ]')

指令先複製起來放著,
接著回到壞掉的WebSphere,以docker指令進入container

docker exec -it test-was8.5.5.20 bash

進入container後

cd /opt/IBM/WebSphere/AppServer/bin
./wsadmin.sh -lang jython

正常情況下可以進入wsadmin介面下指令,不過現在看起來連soap連線都有問題...
https://ithelp.ithome.com.tw/upload/images/20221007/201289737QNyGzS1PX.png

不過沒關係,還有別的辦法,就是直接修改xml設定檔

先回到新建的WebSphere環境,
一般在console做異動時,我們都會直接按save存檔,這裡先不save,按review
https://ithelp.ithome.com.tw/upload/images/20221007/201289733ccG9Fkhfn.png
此時就可以看到我們做的異動是修改了哪個檔案
https://ithelp.ithome.com.tw/upload/images/20221007/201289738sVtKLE47X.png

知道了是修改 security.xml 後,就可以手動調整了

這個檔案的位置在此

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/DefaultCell01

來到壞掉的WebSphere環境
https://ithelp.ithome.com.tw/upload/images/20221008/20128973EFsJt8c8ik.png

進入後可以看到protocol跟cipher就寫在這裡,
我把protocol改回SSL_TLSv2
cipher改回上面貼的那一大串
https://ithelp.ithome.com.tw/upload/images/20221008/20128973m2TlyQZW7x.png
存檔後重啟,
https://ithelp.ithome.com.tw/upload/images/20221008/20128973b2LL7RQvXf.png
果然就恢復正常了。

最後再補充,正常情況下的wsadmin.sh,

cd /opt/IBM/WebSphere/AppServer/bin
./wsadmin.sh -lang jython

https://ithelp.ithome.com.tw/upload/images/20221008/20128973pWBrLSSFKS.png
輸入跟console一樣的wsadmin帳密
https://ithelp.ithome.com.tw/upload/images/20221008/20128973KUUhkoAHPi.png
接著就可以執行前面貼出來的script了

還有很多操作能夠執行,可參閱IBM文件
https://www.ibm.com/docs/en/was/8.5.5?topic=concepts-using-wsadmin-scripting-jython


上一篇
D21/在WebSphere加上trace log查找SSL問題
下一篇
D23/WeSphere的好搭檔-IBM HTTP Server
系列文
30天WebSphere入門及經驗分享36
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言