Infrastructure at your Service

Morgan Patou

Documentum – Unable to stop an IDS configured in SSL?

When working with the IDS, you might face some interesting behaviors as mentioned in the last blog I wrote for example. This one will focus on the SSL part of the IDS on the target side. On this blog, I will start with showing the content of our start/stop scripts and how it is working in non-SSL, then switching to SSL and try again. Therefore for this blog, I quickly installed a test IDS 7.3 using the default non-SSL port (2788).

 

So to start and stop the IDS on the target side, we are using custom scripts/services that do not contain any port information in their names because it might change or just to be able to start several agents at the same time, aso… So an example of start/stop scripts that can be used for the IDS would be:

[ids@target_server_01 ~]$ cat ~/.bash_profile
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export PATH

export TZ=UTC
export IDS_HOME=/app/ids/target
export JAVA_HOME=$IDS_HOME/product/jre/linux
export PATH=$JAVA_HOME/bin:$PATH
[ids@target_server_01 ~]$
[ids@target_server_01 ~]$ cd $IDS_HOME/admin
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ cat startIDSTargetCustom.sh
#! /bin/sh
. ~/.bash_profile
echo "Starting the Interactive Delivery Services Target..."
NB_PID=`pgrep -f "com.documentum.webcache.transfer.MigAgent" | wc -l`
if [[ $NB_PID != 0 ]]; then
  echo "The Interactive Delivery Services Target is already running."
else
  if [[ -f $IDS_HOME/admin/nohup-IDSTarget.out ]]; then
    mv $IDS_HOME/admin/nohup-IDSTarget.out $IDS_HOME/admin/nohup-IDSTarget.out_`date +%F_%H%M%S`.out
  fi
  nohup $IDS_HOME/admin/dm_start_ids >> $IDS_HOME/admin/nohup-IDSTarget.out 2>&1 &
  echo "The Interactive Delivery Services Target has been started... Sleeping for 30 seconds."
  sleep 30
fi
# End of File
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ cat dm_start_ids
#! /bin/sh
. ~/.bash_profile
$JAVA_HOME/bin/java -Xms6g -Xmx6g -Dfile.encoding=UTF-8 -Djava.security.egd=file:///dev/./urandom -cp "$JAVA_HOME/lib/ext/*" com.documentum.webcache.transfer.MigAgent $IDS_HOME/admin/config/2788/agent.ini &
# End of File
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ cat dm_stop_ids
#!/bin/sh
. ~/.bash_profile
$JAVA_HOME/bin/java -Djava.security.egd=file:///dev/./urandom -cp "$JAVA_HOME/lib/ext/*" com.documentum.webcache.transfer.Shutdown $IDS_HOME/admin/config/2788/agent.ini $1 $2
# End of File
[ids@target_server_01 admin]$

 

So when the IDS is configured in non-SSL, this is the configuration of the agent.ini (the default one) and the behavior when you try to start/stop it:

[ids@target_server_01 admin]$ cat config/2788/agent.ini
[conn]
transfer_directory=/data/IDS
secure_connection=raw
http_port=2788
https_ca_cert=$IDS_HOME/admin/keys/ca-cert.der
https_server_cert=$IDS_HOME/admin/keys/server-cert.der
https_server_key=$IDS_HOME/admin/keys/server-key.der
check_pass=$IDS_HOME/product/tools/dm_check_password
log_file=$IDS_HOME/admin/log/2788.log
target_database_connection=jdbc:oracle:thin:@(description=(address=(host=database_server_01)(protocol=tcp)(port=1521))(connect_data=(sid=IDSSID)))
database_user=IDS_USER
database_user_pass=SCS_ENCR_TEXT/A1G8H1FBH12ZECB2P917GEN31ZCBGGC2N2HRC2CNZY
JDBC_DRIVER=oracle.jdbc.driver.OracleDriver
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ grep -E "^secure_connection|^http.*port" config/2788/agent.ini
secure_connection=raw
http_port=2788
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ ./startIDSTargetCustom.sh
Starting the Interactive Delivery Services Target...
The Interactive Delivery Services Target has been started... Sleeping for 30 seconds.
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ ./dm_stop_ids
Nov 11 08:38:42.714:T:main: INFO:       Setting socket TCP no delay to true.
Beginning shutdown...
Shutdown completed
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ cat nohup-IDSTarget.out
Nov 11 08:33:19.493:T:main: INFO:       Begin logging on: $IDS_HOME/admin/log/2788.log
Nov 11 08:33:19.493:T:main: INFO:       MigAgent.java Starting...
Nov 11 08:33:19.496:T:main: INFO:       Interactive Delivery Services - Version 7.3.0010.0003
Nov 11 08:33:19.496:T:main: INFO:       Total process heap space (bytes) : 5368709120
Nov 11 08:33:19.886:T:main: INFO:       HTTP Port:      2788
Nov 11 08:38:42.700:T:Thread-0: INFO:   Setting socket TCP no delay to true.
Nov 11 08:38:42.710:T:Thread-1: INFO:   --------------------------
Nov 11 08:38:42.717:T:Thread-1: INFO:   Checking for valid SHUTDOWN request
Nov 11 08:38:42.718:T:Thread-1: INFO:   Valid SHUTDOWN Request
Nov 11 08:38:42.718:T:Thread-1: INFO:   Shutdown command received, beginning shutdown...
Nov 11 08:38:42.718:T:Thread-1: INFO:   Shutdown complete.
[ids@target_server_01 admin]$

 

So this is working as expected for both start and stop commands. I didn’t execute an End-to-End test or an export but this is also working properly. Then switching the configuration to SSL on the IDS Target can be done pretty easily. I will let you check the documentation on how to regenerate the SSL Certificate if you want to (it is recommended) but that’s basically done using the script $IDS_HOME/product/bin/GenCerts. So let’s switch our IDS in SSL and then try again to stop/start it:

[ids@target_server_01 admin]$ grep -E "^secure_connection|^http.*port" config/2788/agent.ini
secure_connection=raw
http_port=2788
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ sed -i 's,^secure_connection=.*,secure_connection=ssl,' config/2788/agent.ini
[ids@target_server_01 admin]$ sed -i 's,^http.*port=.*,https_port=2788,' config/2788/agent.ini
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ grep -E "^secure_connection|^http.*port" config/2788/agent.ini
secure_connection=ssl
https_port=2788
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ ./startIDSTargetCustom.sh
Starting the Interactive Delivery Services Target...
The Interactive Delivery Services Target has been started... Sleeping for 30 seconds.
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ ./dm_stop_ids
Connecting to secure WebCache at localhost:2788...
Nov 11 08:45:23.587:T:main: INFO:       Server Certificate : $IDS_HOME/admin/keys/server-cert.der
Nov 11 08:45:23.587:T:main: INFO:       CA Certificate : $IDS_HOME/admin/keys/ca-cert.der
Nov 11 08:45:23.587:T:main: INFO:       Server Key : $IDS_HOME/admin/keys/server-key.der
Connected!
Certificates are valid.
Nov 11 08:45:23.747:T:main: INFO:       Setting socket TCP no delay to true.
com.rsa.ssl.SSLException: An IOException occured while collecting the handshake digests: / by zero
        at com.rsa.ssl.tls1.TLSV1ClientProtocol.stateMachine(TLSV1ClientProtocol.java:283)
        at com.rsa.ssl.tls1.TLSV1ClientProtocol.init(TLSV1ClientProtocol.java:163)
        at com.rsa.ssl.tls1.TLSV1ClientProtocol.<init>(TLSV1ClientProtocol.java:127)
        at com.rsa.ssl.common.TLSV1Loader.startTLS1ClientProtocol(TLSV1Loader.java:336)
        at com.rsa.ssl.common.ClientProtocol.sendHello(ClientProtocol.java:243)
        at com.rsa.ssl.common.ClientProtocol.startHandshake(ClientProtocol.java:379)
        at com.rsa.ssl.SSLSocket.getOutputStream(SSLSocket.java:229)
        at com.documentum.webcache.transfer.Client.<init>(Unknown Source)
        at com.documentum.webcache.transfer.Shutdown.<init>(Unknown Source)
        at com.documentum.webcache.transfer.Shutdown.main(Unknown Source)
<B> <FONT color="red">
Nov 11 08:45:23.960:T:main: ERROR:      Client(): creating data streamscom.rsa.ssl.SSLException: An IOException occured while collecting the handshake digests: / by zero
</FONT> </B>
Error creating shutdown object.Error creating data streams
An IOException occured while collecting the handshake digests: / by zero
Error creating data streams
An IOException occured while collecting the handshake digests: / by zero
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ cat nohup-IDSTarget.out
Nov 11 08:40:37.074:T:main: INFO:       Begin logging on: $IDS_HOME/admin/log/2788.log
Nov 11 08:40:37.075:T:main: INFO:       MigAgent.java Starting...
Nov 11 08:40:37.077:T:main: INFO:       Interactive Delivery Services - Version 7.3.0010.0003
Nov 11 08:40:37.077:T:main: INFO:       Total process heap space (bytes) : 5368709120
Nov 11 08:40:37.426:T:main: INFO:       HTTPS Port:     2788
Nov 11 08:40:37.426:T:main: INFO:       Server Certificate : $IDS_HOME/admin/keys/server-cert.der
Nov 11 08:40:37.426:T:main: INFO:       CA Certificate : $IDS_HOME/admin/keys/ca-cert.der
Nov 11 08:40:37.426:T:main: INFO:       Server Key : $IDS_HOME/admin/keys/server-key.der
Nov 11 08:45:23.744:T:Thread-0: INFO:   Setting socket TCP no delay to true.
<B> <FONT color="red">
Nov 11 08:45:23.976:T:Thread-0: ERROR:  Exception: An IOException occured while reading the finished message: read() error
</FONT> </B>
<B> <FONT color="red">
Nov 11 08:45:23.977:T:Thread-0: ERROR:  Exception: Error Spawning new requestor
</FONT> </B>
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ ps -ef | grep MigAgent | grep -v grep
ids   15398     1  0 08:40 pts/2    00:00:04 $JAVA_HOME/bin/java -Xms6g -Xmx6g -Dfile.encoding=UTF-8 -Djava.security.egd=file:///dev/./urandom -cp $JAVA_HOME/lib/ext/* com.documentum.webcache.transfer.MigAgent $IDS_HOME/admin/config/2788/agent.ini
[ids@target_server_01 admin]$

 

As you can see above, the stop command isn’t working at all. It’s not doing anything since the process is still up&running. When you try to stop the IDS it will fail, apparently because of a division by zero. You can try to check the different configuration files, you can check that the IDS is working properly from End-to-End, you can do a lot of things (like I did) but you will (likely) not find any solution. This is actually a known issue on OpenText side and it is documented as part of SCS-3683. So how can you stop the IDS Target process then? Well, the only way is to kill it… So an updated stop script that would work for both non-SSL and SSL IDS Agents would be something like that:

[ids@target_server_01 admin]$ cat dm_stop_ids
#!/bin/sh
. ~/.bash_profile
AGENT_PORT="2788"
CONN_MODE=`grep "^secure_connection" $IDS_HOME/admin/config/${AGENT_PORT}/agent.ini | sed 's,^secure_connection[[:space:]]*=[[:space:]]*,,'`
if [[ "$CONN_MODE" == "ssl" ]]; then
  IDS_PID=`pgrep -f "com.documentum.webcache.transfer.MigAgent.*${AGENT_PORT}"`
  if [[ $IDS_PID != '' ]]; then
    kill $IDS_PID
    sleep 5
    IDS_PID=`pgrep -f "com.documentum.webcache.transfer.MigAgent.*${AGENT_PORT}"`
    if [[ $IDS_PID != '' ]]; then
      kill -9 $IDS_PID
    fi
    echo "The Interactive Delivery Services Target has been stopped..."
  else
    echo "The Interactive Delivery Services Target is already stopped."
  fi
else
  $JAVA_HOME/bin/java -Djava.security.egd=file:///dev/./urandom -cp "$JAVA_HOME/lib/ext/*" com.documentum.webcache.transfer.Shutdown $IDS_HOME/admin/config/${AGENT_PORT}/agent.ini $1 $2
fi
# End of File
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ ./dm_stop_ids
The Interactive Delivery Services Target has been stopped...
[ids@target_server_01 admin]$
[ids@target_server_01 admin]$ ps -ef | grep MigAgent | grep -v grep
[ids@target_server_01 admin]$

 

It annoys me to kill a process to stop it but since there is, according to OTX, no other solution…

 

 

Leave a Reply


− three = 0

Morgan Patou
Morgan Patou

Senior Consultant