Tork Wrench » db2

DB2 9.5 install hangs on Linux during db2icrt

Graham — Tue, 22 Jun 2010 02:07:16 +0000

Yesterday I spent a bunch of time cleaning up our collection of kickstart files. It’s a grind, I must’ve rerun the Redhat installer 40 times in the last 24 hours. The nice thing is that we now have the same base linux install for all the different versions of Redhat and Fedora that we are using.

All this change has thrown up some new problems however. For each of the installs I was doing, the system would hang when trying to install DB2.

When there is a problem with the db2 install, the first place to go is the /tmp/db2setup.log. Inside that it seemed to be hanging on the instance creation step.

Command to be run: "cd /opt/ibm/db2/V9.5/;/opt/ibm/db2/V9.5/instance/db2icrt -a server -s wse -u db2fenc1 -p db2c_db2inst1 db2inst1".

Looking through the output of ps -ef | grep db2, I saw a suspicious process called UpdateAutoRun.sh.

I couldn’t find a DB2 specific technote for this error, but a bit of searching brought up this one from Tivoli Monitoring (ITM). Apparently DB2 installs an instance of ITM along with DB2 – I’m not sure what it is for. Anyway, there seems to be a dodgy script inside the ITM that relies on the venerable text editor ‘ed’. Without ed installed the log file /itma/logs/UpdateAutoRun.log keeps filling up with the line:

UpdateAutoRun.sh info: Delete of agent start all record successful.

Installing ed in (even while db2setup is running!) allows this script to finish and the rest of the install to complete successfully.

DB2 and ConfigEngine : Security mechanism not supported

Graham — Sun, 28 Jun 2009 04:19:58 +0000

I try to post really random solutions here, and this one’s a doozy ! I was updating a production machine from Portal 6.1.0 to 6.1.0.2. I always run the ConfigEngine tasks validate-standalone-ldap and validate-database-connection before I run any Portal update to make sure that the update won’t fail from something silly like a missing password. I’d highly recommend this practice on your Portal systems.
This time when running validate-database-connection, I ran into this error:

action-validate-database:
[echo] domain 'jcr'
[echo] DbtDbDriver 'com.ibm.db2.jcc.DB2Driver'
[echo] DbtDbLibrary '/home/db2inst1/sqllib/java/db2jcc.jar:/home/db2inst1/sqllib/java/db2jcc_license_cu.jar'
[echo] DbtDbUser 'db2inst1'
[echo] DbtDbUrl 'jdbc:db2://localhost:50000/WPS6TCP'
[echo] DbtDbName 'WPS6TCP'
[java] [06/28/09 13:47:09.620 EST] Attempting to make connection using: jdbc:db2://localhost:50000/WPS6TCP :: db2inst1 :: PASSWORD_REMOVED
[java] [06/28/09 13:47:09.875 EST] ERROR: Error obtaining connecting for jdbc:db2://localhost:50000/WPS6TCP
[java] com.ibm.db2.jcc.b.SqlException: [ibm][db2][jcc][t4][201][11237] Connection authorization failure occurred. Reason: Security mechanism not supported.
[java] at com.ibm.db2.jcc.a.b.m(b.java:1981)
[java] at com.ibm.db2.jcc.a.b.a(b.java:1565)
[java] at com.ibm.db2.jcc.a.bb.b(bb.java:3386)
[java] at com.ibm.db2.jcc.a.bb.a(bb.java:332)
[java] at com.ibm.db2.jcc.a.bb.a(bb.java:112)
[java] at com.ibm.db2.jcc.a.b.j(b.java:1259)
[java] at com.ibm.db2.jcc.a.b.b(b.java:1132)
[java] at com.ibm.db2.jcc.a.b.b(b.java:715)
[java] at com.ibm.db2.jcc.a.b.a(b.java:701)
[java] at com.ibm.db2.jcc.a.b.a(b.java:378)
[java] at com.ibm.db2.jcc.a.b.(b.java:316)
[java] at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:166)
[java] at java.sql.DriverManager.getConnection(DriverManager.java:572)
[java] at java.sql.DriverManager.getConnection(DriverManager.java:165)
[java] at com.ibm.wps.config.db.Database.init(Database.java:139)
[java] at com.ibm.wps.config.db.validation.ValidationDriver.main(ValidationDriver.java:209)

It looked like the problem I’d seen on Ubuntu, where the database password was hashed with an unsupported scheme, but it couldn’t be, because this was on a plain old RHEL system. The difference was that I’d recently changed DB2′s database manager settings from AUTHENTICATION = SERVER to AUTHENTICATION = DATA_ENCRYPT . DATA_ENCRYPT is good because it will send your sql data and your authentication details encrypted across the wire.

Anyway, to make the validation work on a system where you have enabled the DATA_ENCRYPT parameter, just add securityMechanism=13; to the end of the database url. So mine becomes:

jcr.DbUrl=jdbc:db2://localhost:50000/WP6TCP:securityMechanism=13;

So how would the system work in any case, if the database url was wrong?!? The answer is clear after delving into the WebSphere admin console a little bit. I’d configured the custom properties of each Portal datasource post database transfer to work with DATA_ENCRYPT, but not the database urls in wkplc_comp.properties. Here’s where you would set it.

It is important to emphasize that the wkplc*.properties file in ConfigEngine are templates only, and don’t affect the running of the system, until you run a ConfigEngine task against them. Only then do their values get copied to the actual Portal server.

ERRORCODE=-4214, SQLSTATE=28000 from DB2 on Ubuntu

Graham — Mon, 04 May 2009 06:36:46 +0000

Two posts in one day, wow. It’s all part of our special series: how to install and configure WebSphere Portal 6.1 on Ubuntu. This isn’t a Portal only issue, rather it’s a DB2+Ubuntu issue.

After getting Portal installed on this Ubuntu machine, you’re probably going to want to transfer the default Derby database to something more robust like DB2. So you edit wkplc_comp.properties and wkplc_dbtype.properties, and start to run:

./ConfigEngine.sh create-database

And you get this in the ConfigTrace.log

[sqlproc] action: execute-sql-scripts
[sqlproc] _________________________________________________________
[sqlproc] Database autocommit parameter true
[sqlproc] No delimiter has been specified, using [;] to separate the SQL statements.
[sqlproc] Reading file /opt/WebSphere/wp_profile/ConfigEngine/config/database/work/db2/createBufferpools.run
[sqlproc] Could not connect to database
[sqlproc] com.ibm.db2.jcc.b.ao: [jcc][t4][2010][11246][3.53.70] Connection authorization failure occurred. Reason: Local security service non-retryable error. ERRORCODE=-4214, SQLSTATE=28000
BUILD FAILED

Hmm, ok, I thought db2 was working. A good habit when debugging these things is to take the piece that ConfigEngine is trying run and run it independently. So right now I want ConfigEngine to create an empty db2 database that I can run database-transfer against. Try this:

su - db2inst1
db2 create db WP610 using codeset UTF8 territory au pagesize 8192

And that comes back successfully. However, that command sequence is not an accurate representation of what ConfigEngine is actually doing. We’re running ConfigEngine as root. But the ConfigEngine script is using the “user db2inst1 using ” modifiers on the end of the database create command. So how about this?

db2 create db WP610 using codeset UTF8 territory au pagesize 8192 user db2inst1 using password
SQL30082N Security processing failed with reason "15" ("PROCESSING FAILURE").
SQLSTATE=08001

Ah ha, a failure. In the first example, DB2 already trusts the user that we’re logged is as (db2inst1), so it doesn’t need to go back to the operating system and authenticate it. In the second example, we are logged in as root, so db2 needs to go to the operating system and authenticate the user. Ubuntu uses the tried and true passwd + shadow file combo to store usernames and their associated passwords. The trouble is since Ubuntu 8.10, it uses the newer and more secure SHA512 hashing function to store the passwords, and DB2 doesn’t understand SHA512. So the workaround is to change the hashing function in use on the machine, reset the password and then we should be able to use the “user db2inst1 using ” type commands again.

Open /etc/pam.d/common-password in a text editor and change this line:

password [success=1 default=ignore] pam_unix.so obscure sha512

password [success=1 default=ignore] pam_unix.so obscure md5

Then run passwd db2inst1 and put the same or a new password. If you look at the shadow file , the hash will change from something like this:
SHA512

db2inst1:$6$IKe6x6Zq$bSajPzHNIy7jQrPXbI8CrPRlpDYUVm8.A2BhNCxes5cY6LWoh7hQr14XW4agBWbW1ywKkSSDSLFV.NXCr2/1z0:14368:0:99999:7:::

MD5

db2inst1:$1$FF0YDtZn$gemqCKt4Ml375mhiBXk2U/:14368:0:99999:7:::

(The unencrypted password here is ‘password’ – don’t get too excited!) .

Now try running ConfigEngine.sh create-database again. It should work. Make sure you change the system /etc/pam.d/common-password back to sha512, as you want the rest of your users to use this hashing function as it is more secure than md5sum . Hopefully DB2 should address this in a fixpack.