Category: LDAP

Node Agent cannot start after configuring LDAP

Just to document a weird issue I had today. I was attempting to configure LDAP (Microsoft AD) for Maximo/Websphere. After it is configured (and I’ve tested that it can query AD data), Application Server security was enabled. Then the server is rebooted to refresh the new configuration.

After a restart, ctgNode01 (node agent) service cannot start. Node Agent log shows the error below:

WSVR0100W: An error occurred initializing, nodeagent [class com.ibm.ws.runtime.component.ServerImpl]

com.ibm.ws.exception.ConfigurationError: com.ibm.websphere.ssl.SSLException: CWPKI0316E: Cannot get a security object from the configuration. This can indicate that the security.xml file for the cell is corrupt and you must validate the integrity of the file.

I looked it up on the web, there are some suggestions about a corrupted security.xml file. So I checked and found that the security.xml file in ctgAppSrv01 profile is completely empty. I looked at other Maximo servers and found this file has an exact same content with the security.xml file from ctgDmgr01 profile. I copied that file over to AppSrv profile, restarted Websphere and it is able to start again.

Not sure why configuring LDAP would completely wipe out the content of this file.

Check Network/Firewall Status using PowerShell

Working with Maximo, we have to deal with network/firewall all the time. I can spend a whole day telling you fun stories (or extremely frustrating experience) I had with IT/Network guys. But that’s not the point. If you end up here, I guess you’re having an issue with firewall. So below is a quick recap of my tricks:

Ping: the first thing we try when we want to see if a server is accessible from our current machine. But don’t jump to a conclusion too early if it shows the server is unreachable. Sometimes, the Network Admin has disabled ping response to enhance security.
Telnet: to check if a port is opened, we can use telnet from Windows Command console (e.g. telnet google.com 80). If it can be connected, means the target server is accessible on the specified port. But if it doesn’t, first, make sure the server is listening on that port, before jumping to a conclusion that it’s a Firewall issue. I made this mistake a few times, blaming the network, then it turned out it’s Websphere/Maximo service is not running on the port that I assumed it should be running on
PowerShell: in many cases, the server is not connected to the Internet, and Telnet is not installed, (and yes, you don’t have permission to install new software either). We can use PowerShell to check network connectivity using the two commands below:
$connection = New-Object System.Net.Sockets.TcpClient(“google.com”, 80)
Write-Host $connection.Connected
The first line will return some errors if it cannot connect to the server, like the screenshot below:

If the server is accessible via the provided IP and port, the 2nd line will return the status = Connected