Among the big software vendors I have to deal with, CA support site is definitely the winner in the bizarre competition – how hard is to find the relevant downloadable. Well, it is pretty easy to locate the Download Center itself in the menu on the left, but all that you get there is latest service pack of the product. Despite that, CA support always want you to be on the latest patch level (“cumulative release” aka CR) to be able to help you – and it is not so clear where to find it. Long time ago I got the direct link to the list of all released CRs for SiteMinder family and used it since then instead of the Download Center.
Now, after almost three years working with CA SiteMinder, I accidentally discovered were the list of all CRs is actually located:
- Go to “Support by Product” in the left side menu
- Select your favorite product in the very long drop-down list
- Click on “Recommended Reading”
- Scroll down to the bottom of the frame with the links
And – voila! – here is the desired “CA SiteMinder Hotfix/Cumulative Release Index” link. (Obviously, you have to be logged in to CA support site to get access to the link I post here…)
Imagine that you’ve just installed Citrix Receiver for Windows 3.0. The nice broadcast icon already appears in system tray, but Preferences item in the context menu is disabled for some reason. The system logs has no relevant errors, and Citrix is not mentioned at all under Programs in the Start Menu. This is the time to read the documentation and discover that Microsoft .NET 2.0 or higher is required for Citrix Receiver to operate. Unfortunately, Receiver installation process does not verify that .NET is actually installed on your machine…
You can turn on debug logging with “trace” utility from “pdadmin” shell via “server task” call. Here is the general format of the call:
server task <instance>-<host> trace set <component> <level> file path=<path>
The parts in the angle brackets should be replaced with appropriate values:
- <instance> – the name of WebSEAL instance
- <host> – hostname of the server that runs WebSEAL
- <component> – name of the component to turn logging on for (see below)
- <level> – log level to use (1 to 9, where 1 is the most detailed; use 0 to turn logging off)
- <path> – filename of the log file to fill with the information
The list of the components can be obtained with “trace list” command. Among the useful WebSEAL-related components:
- pdweb – trace all WebSEAL-related information
- pdweb.debug – list of HTTP header going trough WebSEAL
- pdweb.snoop – same, but including message body
- pdweb.snoop.client – same, but only for data sent between WebSEAL and the web client
- pdweb.snoop.jct – same, for data sent between WebSEAL and the actual web servers (aka “junctions”)
In the example below you can see how to turn on debugging of the web traffic that goes through WebSEAL. The log will go to “C:\pdweb.debug” file. [ Update (April 2013): How to open the ‘pdadmin’ shell. ]
Enter User ID: sec_master
Enter Password: ********
pdadmin sec_master> server task default-webseald-tameb trace set pdweb.debug 2 file path=C:\pdweb.debug
You can read more about “server task trace” in the TAMeb documentation.
Did it ever happen to you that you want to revert some VM to another snapshot and get “The object has already been deleted or has not been completely created” error message? It is really painful, especially if you lab heavily relies on excellent snapshot functionality provided by vSphere… It appears that sometimes it can be fixed by deleting the VM from the inventory and adding it back. The process is really simple, but requires administrative credentials.
So, here it goes:
- Go to the Summary tab for your VM, find the relevant datastore and choose “Browse Datastore…” option.
- Find the folder that belongs to your VM and make sure you see the “.vmx” file (you’ll need it in step 5).
- Go back to your VM in the vSphere tree and choose “Remove from Inventory” in the context menu. Be careful – “Delete from Disk” is the next option, and it is not reversible!
- Wait while vSphere performs your request.
- Go to datastore window, open context menu of the “.vmx” file and choose “Add to Inventory”
- Go through the wizard, selecting relevant options for VM import.
That’s all – wait until the VM will be fully imported and try to revert to your favorite snapshot now.
Did it happen to you that your lab WebSEAL instance suddenly stopped working? Everything seems to be up and running, but any regular request to port 444 results in “Internet Explorer cannot display the webpage”? Well, it happened to me several days ago. Testing the same URL in Google Chrome revealed the possible cause – “ERR_SSL_PROTOCOL_ERROR”. Additional test revealed that HTTP traffic on port 81 (which is typically not used) is served correctly.
I’ll save you from reading the frustrating troubleshooting details. The bottom line is simple – the self-signed SSL certificate supplied with IBM WebSEAL expired on August 27, 2011. This is the certificate that is used by default in many labs, including mine. The fix is really simple – if you know where to look and what to do. Continue reading “Fixing WebSEAL that suddenly stopped responding to HTTPS”