TKLM - Things To Know Part 2

Resolving TKLM Memory Issue

TKLM has a known issue with the Java memory heap size. This memory issue results in TKLM becoming slow to respond or stops issuing keys. You can search for an Out Of Memory condition by reviewing the TKLM /tklm/tip/profiles/TIPProfile/logs/server1/SystemOut.logand looking for the following error:

 java.lang.OutOfMemoryError

If this error is present the short term solution is to restart the primary and replica TKLM instances to resolve the out of memory state. The long term solution is to change the TKLM memory settings in two files used to determine the processes memory allotment.

·         Restart the TKLM primary and replica which will flush the memory in use and allow TKLM to issue keys as before. 

Note: This is a short term solution and does not resolve the problem as it will occur again after a period of time.

·         The permanent solution is to reduce the TKLM audit level to low and change the wsadmin process’s Java memory heap size. This needs to be done in two locations and can be done by following the steps provided:

1.     Backup the /tklm filesystem before you edit the files.

sudo dsmc /tklm

2.     Reduce the TKLM audit level to low by using the TKLM web GUI and navigating to

1)     TKLM > Configuration > Audit

2)     Select Low and click OK

Confirm by looking into this file: /tklm/tip/products/tklm/config/TKLMgrConfig.properties

 Verify that Audit.event.type and Audit.event.outcome variables state the following:

Audit.event.types = runtime, authorization, authorization_terminate, resource_management, key_management

 Audit.event.outcome = failure

3.     Edit wsadmin script and server.xml manually.

1)     You will find the two files that require editing, server.xml and wsadmin.sh, in the following directories:

/tklm/tip/profiles/TIPProfile/config/cells/TIPCell/nodes/TIPNode/servers/server1/server.xml

/tklm/tip/bin/wsadmin.sh

4.      modify the wsadmin -Xmx setting.

Example:

1) Locate and modify the below entry

default value:

PERF_JVM_OPTION(S)="-Xms256m -Xmx256m -Xj9 -Xquickstart"

set max value:

PERF_JVM_OPTION(S)="-Xms256m -Xmx1280m -Xj9 -Xquickstart"

Note: The maximum heap size for wsadmin is 1280Mb

2) Save the changes

5.     Now modify the server.xml file by setting the genericJvmArguments variable to “-Xmx2048m”

1)     Locate and modify the below entry

genericJvmArguments="-Xmx2048m"

2)     Save the changes

6.     As root stop TKLM

1)    /tklm/tip/bin/stopServer.sh server1

7.     As root start TKLM

1)    /tklm/tip/bin/startServer.sh server1

TKLM - Things To Know Part 1

DB2 Password and TKLM Data Source Out of Sync

On systems such as Linux or AIX, you might need to change the password for the DB2® Administrator user ID. The login password for the DB2 Administrator user ID and the DB2 password for the user ID must be the same.

The Tivoli Key Lifecycle Manager Installation program installs DB2 and prompts the installing person for a password for the user named tklmdb2. Additionally, the DB2 application creates an operating system user entry named tklmdb2. For example, the password for this user might expire, requiring you to resynchronize the password for both user IDs.

Typically you can identify if the DB2 ID password is no longer in sync with the data source password when you see this error when accessing TKLM through the GUI

 

Before you can change the password of the DB2 Administrator user ID, you must change the password for the system user entry. To resolve the password sync issue follow these steps:

Note: The original IBM document is located here.

1.     Log on to Tivoli Key Lifecycle Manager server as root.

2.     Change user to the tklmdb2 system user entry. Type:

su <gc>tklmdb

3.     Change the password. Type:

passwd

Specify the new password.

4.     Exit back to root.

exit

5.     In the TIP_HOME/bin directory, use the wsadmin interface that the WebSphere® Application Server provides to specify the Jython syntax.

./wsadmin.sh -username TIPAdmin -password mypwd -lang jython

6.     Change the password for the WebSphere Application Server data source:

a.     The following command lists the JAASAuthData entries:

wsadmin>print AdminConfig.list('JAASAuthData')

The result might like this example:

(cells/TIPCell|security.xml#JAASAuthData_1396539704930)

(cells/TIPCell|security.xml#JAASAuthData_1396539705604)

b.    Type the AdminConfig.showall command for each entry, to locate the alias tklm_db. For example, type on one line:

print AdminConfig.showall ('(cells/TIPCell|security.xml#JAASAuthData_1396539704930)')

The result is like this example:

[alias tklmdb]

[description "TKLM database user J2C authentication alias"]

[password *****]

[userId ustklmdb]

And also type on one line:

print AdminConfig.showall ('(cells/TIPCell|security.xml#JAASAuthData_1396539705604)')

The result is like this example:

[alias tklm_db]

[description "TKLM database user j2c authentication alias"]

[password *****]

[userId ustklmdb]

c.     Change the password for the tklm_db alias that has the identifier JAASAuthData_1396539705604:

print AdminConfig.modify('JAASAuthData_list_entry', '[[password passw0rdc]]'

For example, type on one line:

print AdminConfig.modify

('(cells/TIPCell|security.xml#JAASAuthData_1396539705604)',

'[[password <password>]]')

d.    Change the password for the tklmdb alias that has the identifier JAASAuthData_1396539704930:

print AdminConfig.modify('JAASAuthData_list_entry', '[[password passw0rdc]]'

For example, type on one line:

print AdminConfig.modify

('(cells/TIPCell|security.xml#JAASAuthData_1396539704930)',

'[[password <password>]]')

e.     Save the changes:

print AdminConfig.save()

f.     Exit back to root.

exit

g.    In the TIP_HOME/bin directory, stop the Tivoli Integrated Portal application. For example, as TIPAdmin, type on one line:

stopServer.sh server1 -username tipadmin -password passw0rd

The result is like this example:

ADMU0116I: Tool information is being logged in file

//opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/logs/server1/stopServer.log

ADMU0128I: Starting tool with the TIPProfile profile

ADMU3100I: Reading configuration for server: server1

ADMU3201I: Server stop request issued. Waiting for stop status.

ADMU4000I: Server server1 stop completed.

h.     Start the Tivoli Integrated Portal application. As the Tivoli Integrated Portal administrator, type on one line:

 startServer.sh server1

i.      In the TIP_HOME/bin directory, use the wsadmin interface that the WebSphere Application Server provides to specify the Jython syntax.

./wsadmin.sh -username tipadmin -password mypwd -lang jython

j.      Verify that you can connect to the database using the WebSphere Application Server data source.

i.       First, query for a list of data sources. Type:

print AdminConfig.list('DataSource')

The result might be like this example:

"TKLM DataSource(cells/TIPCell/nodes/TIPNode/servers/server1|resources.xml#DataSource_1396539707355)"

"TKLM scheduler XA Datasource(cells/TIPCell/nodes/TIPNode/servers/server1|resources.xml#DataSource_1396539709814)"

"Tivoli Common Reporting Data Source(cells/TIPCell|resources.xml#DataSource_1396539473259)"

DefaultEJBTimerDataSource(cells/TIPCell/nodes/TIPNode/servers/server1|resources.xml#DataSource_1000001)

ttssdb(cells/TIPCell|resources.xml#DataSource_1396539429750)

ii.      Type:

print AdminControl.testConnection('TKLM DataSource(cells....)')

For example, type on one line:

print AdminControl.testConnection (‘TKLM DataSource(cells/TIPCell/nodes/TIPNode/servers/server1|resources.xml#DataSource_1396539707355)')

iii.     Test the connection on the remaining data source. For example, type:

print AdminControl.testConnection (‘TKLM scheduler XA Datasource(cells/TIPCell/nodes/TIPNode/servers/server1|resources.xml#DataSource_1396539709814)')

iv.    In both cases, you receive a message that the connection to the data source was successful. For example:

WASX7217I: Connection to provided data source was successful.

TKLM and TSM Encryption

When it comes to encryption and TSM you find varying responses from admins. Some use the TSM server as the key manager, others implement a library based key manager, and others use a third party software product. In the past I used TSMs internal encryption key management option and while it is a set-it and forget it process it has some limitations when it comes to Exports and DB Backups.  That is where third party software like TKLM can be beneficial. I have recently implemented TKLM and after some hiccups along the way am still undecided on whether I like it.  If you use TKLM let me know your experience and if there are any issues of which I should be aware.  I'll post my hiccups next week as they will take some time to discuss.