Informix Experts

The newest version of OpenAdmin Tool for IDS, Version 2.23, has just been released! Download the new version today to get the enhanced SQL Explorer and version 2.0 of the ER Plugin.

New feature highlights:

The SQL Explorer has been newly redesigned. New features include

• Filters and search fields for viewing SQL tracing data.
• Support for different SQL trace levels - global or user - so you can manage what kinds of SQL information are traced for IDS V11.50.xC1 servers.
• Support for suspending and resuming history tracing, without releasing resources, on IDS V11.50.xC1 servers.

ER Plug-in Version 2.0: Version 2.0 of OAT’s ER plug-in includes a new Replicate Explorer and becomes the first step in supporting ER administration graphically through OAT.

• The Replicate Explorer now lets you monitor your replicates and replicate sets.






• The Node Details -> Configuration page now supports the editing and updating of ER configuration parameters

Download OAT Version 2.23 now at https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=swg-informixfpd

For additional information on OpenAdmin Tool for IDS, including feature details, screenshots and demos, go to www.openadmintool.org.

Erika Von Bargen

[Read More]

During the installation of IDS 11.50, Program Group folder is opened and Start Menu shortcuts are added. If, these actions were optional then it would make IDS more embeddable with other applications, which uses IDS in background. Customers who are embedding IDS as part of their software package usually desire near-complete invisibility.

This request was met by adding a new comma-line option “hidden” for instillation. This option will prevent creation of start menu shortcuts and suppress the Program Group folder from popping-up. Users can use this option by invoking the setup.exe (IDS 11.50 installation) from command-line and supplying “–hidden” option with the same command.

Command-line Usage:

$ setup.exe -hidden


Bhadrik Patel[Read More]

Previous version of JDBC 3.50 could not be installed on Windows 64-bit using 64-bit JRE. Installing JDBC 3.50 gave an error "Directory not writable" for all directories. Same error message was received, even after running all the process as administrator by turning UAC (User Account Control) off. Workaround for this problem was to use 32-bit JRE on Windows 64-bit to install JDBC 3.50.

This problem was solved in IDS 11.50. Now JDBC 3.50 uses newer version of Install Shield, which allows for JDBC 3.50 to be installed on 64-bit Windows using 64-bit JRE. Now, users no longer have to use 32-bit JRE to install JDBC 3.50 on Windows 64-bit. This makes users life easier, since users do not have to set up 32-bit JRE on 64-bit Windows.


Bhadrik Patel

[Read More]

Introduction:In most cases the Informix error codes are very good at explaining why there is a problem and how to fix it. Finderr(Error Message Utility), is the utility shipped with IBM Informix Dynamic Server and client products(CSDK and IConnect) that’s helps to check an error code and returns error messages corresponding to IBM Informix error numbers.

Problem:Finderr uses WinHelp. The Help for this program was created in Windows Help format, which was used in previous versions of Windows and it is not supported in the newer flavors of Windows Operating Systems like Vista or Windows 2008. Windows Vista and Windows Server 2008 are not shipped with Winhelp application. So you will get error messages popping up while executing finderr utility shipped with IDS 11.50 on Windows Server 2008 and Vista:

The GUI finderr program supplied with CSDK and IConnect also doesn't work on Windows Vista or Windows Server 2008. The execution of finderr utility in client products pops-up the following error messages.

OR

Solution:
The workaround is to download the Windows Help program (WinHlp32.exe) from the following Microsoft support Web site.

For Windows 2008:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0468fefd-b54f-4c57-8340-c6dd2ec20c0a&displaylang=en

For Vista:
http://www.microsoft.com/downloads/details.aspx?familyid=6ebcfad9-d3f5-4365-

The problem has been fixed in IDS 11.50.xC3 and CSDK-3.50.xC3 releases. So you can always upgrade to these releases to get finderr utility working in newer flavors of Windows Operating System.

Snigdha Sahu[Read More]

In IDS releases prior to 10.00.TC5, the Informix Dynamic Server(IDS) Windows Service was allowed to log on only as user informix. Launching the IDS installation program setup.exe with the -system command line argument (only) will install IDS and create a new instance running as the Windows Local System user, bypassing screens which prompt for informix user password(informix user does not get created when this option is used).

Starting with version 11.50, you can install IDS on Windows as the local system user account by selecting the Local System User option right on the IDS Server configuration Setup panel. This option is available only in custom mode of installation.

Typically this option provides the same privileges as the informix user account; however, it uses an internal account representing a pseudo-user that does not require a password. The local system account is used by the operating system and services running under Windows during the installation of Dynamic Server. The informix user is still created by default.

However user can choose not to create an informix user account at all, but we have to note that Enterprise Replication between Dynamic Server on UNIX and IDS on Windows Operating System will not work if informix user and Informix-Admin group is not present.Along with the “Start database server as Local System User” checkbox another checkbox “Do not create user informix account” is also provided on the same panel which is greyed out unless the user picks the System User option.

Some of the benefits of why people would want to do this:
• if the machine has a password expiry policy and it is not convenient to change the password of the IDS service this will save having to do it
• some security policies require that the informix user not be a member of the Administrators group. If the IDS service logs on as local system user the informix user no longer has to be an administrator.

Snigdha Sahu[Read More]

Suppose you have an application which depends on IDS. Your business requirement is application must starts after a successful IDS memory initialization. Previously there was no way you can validate the return code of oninit process to make a decision whether or not IDS initialize successfully. So, if you have a script that automatically starts IDS and the application respectively, it possible the application may start even though IDS failed to initialize.

A new oninit option has introduced to IDS 11.50 that generate a return code. Based on the return code you can customize the script and automate startup process.

The 'oninit -w' command generates following return codes:

• 0 - when success
• 1 - when initialization fails or exceed the timeout value

The 'oninit -w' command forces IDS to wait until it successfully initializes before returning to a shell prompt. You can also provide an addition argument for timeout value with '-w' option. Without any timeout value with '-w' option, IDS will use the default value e.g. 10 minutes. If IDS cannot initialize within the timeout period, oninit generates return code 1 and writes following error message to the online.log file:

Warning: wait time expired

The syntax of new command as follows:

• oninit -w
• oninit -w

You can use the '-w' option with combination of any other oninit initialization options.

Couple of points to remember:

• In a high-availability environment, you can only use the 'oninit -w' command on primary server; it is not valid on secondary servers.
• The oninit command returns success when sysmaster, sysutils, sysuser and sysadmin are successfully created.

Sanjit Chakraborty[Read More]

DB_LOCALE and CLIENT_LOCALE are compatible if ...

• the code set for both the locales are identical,

OR




• code set conversion is possible between CLIENT_LOCALE's and DB_LOCALE's code set,

AND
a locale consisting of the language_terriorty from CLIENT_LOCALE and the code set from DB_LOCALE exist

Note: For any code set name, its corresponding code set number and hex value, can be found in following file.

$INFOMRIXDIR/gls/cm3/registry.

Example 1:

DB_LOCALE = en_us.850 (code set 850, its hex value 0352)
CLIENT_LOCALE = de_de.850



Here, both the locales are using same code set, 850 which is supported by both en_us and de_de, that is, US English and Germany German.
Hence, they are compatible.

Example 2:

CLIENT_LOCALE = fr_ca.850 (code set 850, its hex value 0352)
DB_LOCALE = de_de.cp1252 (code set 1252, its hex value 04e4)

Here, for both the locales to be compatible, there are 2 requirements:


i) Canadian French (fr_ca) must support code set 1252 encoding.




In other words, this locale file must exit.

$INFORMIXDIR/gls/lc11/fr_ca/04e4.lco



ii) Conversion between CLIENT_LOCALE's code set, 850 and
DB_LOCALE's code set, cp1252 must be supported.




In other words, these files must exist.

$INFORMIXDIR/gls/cv9/035204e4.cvo
$INFORMIXDIR/gls/cv9/04e40352.cvo
If you have locales fr_ca and de_de, for code set 850 and cp1252, installed on the machine, you

should see the above listed files exists.
Hence, they are compatible locale.

Example 3:

CLIENT_LOCALE = fr_ca.850 (code set 850, its hex value 0352)
DB_LOCALE = cs_cz.8859-2 (code set 8859-2, its hex value 0390)

Here, the locales are not compatible because ...
• Canadian French (fr_ca) does not support 8859-2 encoding, and
• conversion between code set 850 and 8859-2 is not supported.

Example 4:

CLIENT_LOCALE = iw_il.8859-8 (code set 8859-8, its hex value 0394)
DB_LOCALE = en_us.utf8 (code set utf8, its hex value e01c)

Here, even though code conversion is posible between code set 8859-8 and utf8, these locales

are not compatible because Israelian hebrew (iw_il) does not support utf8 encoding.

That is, there is no such locale file to support utf8 encoding by Israelian hebrew.

$INFORMIXDIR/gls/lc11/iw_il/e01c.lco

Note: If a locale file is not available in your INFORMIXDIR, check the Informix International

Language Suppliment (ILS) to see if that the locale is supported.

Seema Kumari


[Read More]

The value of locale variable, CLIENT_LOCALE or DB_LOCALE can be broken into 4 parts.

     1          2                   3                      4    
<language>_<territory>.<Code set name/Code set number>[@modifier]
       --------   --------    -----------------------------   --------

Conventional, I represent this as ll_tt.xxxx@xyz, where ...

ll ............ represents the Language


tt ........... represents the Territory, or cultural convention.


xxxx ....... represents the Code set Name or the Code set Number supported by the locale and


xyz ......... represents the Modifier. This is the only optional part in a locale value.



The modifier, sometimes refered as variant, modifies the cultural-convention settings that the language and territory settings imply. It usually indicates a special localized collating order that the locale supports.

Let us look at an example.

Example:

CLIENT_LOCALE = de_at.cp1252@euro, and
CLIENT_LOCALE = de_at.1252@euro


• Here, both CLIENT_LOCALE values represent the same locale.




• 1252 is the Code set number for Code set name, cp1252. We can specify either Code set name or the Code set number in a locale value.

where,

- de ........... represents the German language
- at ............ the territory, Austria
- cp1252 ... the code set used for the encoding and
- euro ....... the modifier used for the locale



So, this is German language locale, for Austria, using cp1252 encoding and euro modifier.

Now, to check if this locale file exists, where to lookup ?

All locale files reside under directory $INFORMIXDIR/gls/lc11

To lookup for locale files for language (ll) and territory (tt), we check under $INFORMIXDIR/gls/lc11/ll_tt directory.




In our example, to lookup for locale files for German language (de), for territory Austria (at), we will lookup $INFORMIXDIR/gls/lc11/de_at directory

Next, under the specified locale directory, look for files with name represented by hex value of the code set name/ code set number, along with modifier name if modifier is specified, with an extension .lco



In our example, hex value for Code set cp1252 is 04e4 and modifier euro is used. So, we will look for file 04e4euro.loc under directory $INFORMIXDIR/gls/lc11/de_at.

How and where to find the hex value for a Code set name ?

For any Code set name, its Code set number and hex value can be looked-up in file $INFORMIXDIR/gls/cm3/registry.

Example:

Let us find the hex value for Code set name Latin-3.

We can find the information in file

$INFORMIXDIR/gls/cm3/registry



  In the registry file ...

- first coulmn represents the code set name,
- second column is code set number
- third column is the hex value of the code set number, and
- fourth column, is either blank or has comment about the code set.



Let us lookup for code set, Latin-3 in registry file and see what we find.
We get the following value.





   Latin-3          57346              0xe002  					
  ---------      ------------	      -----------     --------------------------------
 code set name   code set number     hex value      in this case, there is no comment 

NOTE:

• Locale values are case in-sensitive.




Example:

DB_LOCALE = de_de.cp1252, DB_LOCALE = de_de.CP1252.
Here, both locale values are valid, representing the same code set.




• You can specify either code set name or code set number in a locale value, but you cannot use the hex value of the code set number.


Example:

DB_LOCALE = fr_ca.57372 or fr_ca.utf8, ........ both values are valid and they represent the same code set.


DB_LOCALE = de_de.cp1252 or de_de.1252 .... both values are valid and they represent the same code set


DB_LOCALE = de_de.04e4 ............... this in invalid. Code set's hex value cannot be used in a locale value.




• If modifier is not specified in the locale variable, like say ...

CLIENT_LOCALE = de_at.cp1252


- to locate the locale file, look for .loc under the language_territory directory. In this case, we look for following file ...

$INFORMIXDIR/gls/lc11/de_at/04e4.lco




• If modifier is specified in the locale variable, like ...

CLIENT_LOCALE = de_at.cp1252@euro




- to locate the locale file, look for .lco file under language_territory directory. In this case, we look for following file ...

$INFORMIXDIR/gls/lc11/04e4euro.lco




• Code set name, its corresponding Code set number and hex value is specified in file
  $INFORMIXDIR/gls/cm3/registry.
  
  
• Locale Territory/ Country code and Language code can be looked up in file
  $ILS_INSTALL_DIR/release/GLS_INFO
  
  
  
  
• Conventionally, for LOCALE variable having value ll_tt.xxxx[@xyz], following locale file should exist.
$INFORMIXDIR/gls/lc11/ll_tt/<hex value of xxxx>[xyz].lco




Seema Kumari
[Read More]

IDS 11.50 introduced a new installation wizard (installer), which makes life easier than in past releases to set up an instance to use a variety of database clients. In this section we will discuss how to set DRDA connection during installation process.

The installation wizard is extremely user friendly and easy to navigate. Options are available with installation wizard to configure a database server alias (DBSERVERALIASES) and a port for clients that use the DRDA protocol. You can easily setup this DRDA connection via a checkbox when creating the demonstration database server instance during installation. We will see some screenshots latter in this section to get a better understanding on DRDA configuration.

There are little differences between UNIX and Windows installation wizard.

UNIX

• Select option use the default configuration file to able to install database server with DRDA.
• Do not select the option to customize the default configuration file, as this option does not allow setting DRDA.

  
  
  

Windows

• By default the server installation includes DRDA setup.
• You must select custom installation to exclude DRDA setup.

On UNIX platform you need to answer 'Yes' for question Do you want to create an IDS demonstration database server instance. Similarly, you need to choose option 2 - Use the default configuration file under demonstration database instance configuration. You may use default server name and server alias values or change those as per your requirement.

Following is a DRDA configuration screenshot on UNIX platform:

On Windows platform the typical installation process (default) automatically include the DRDA configuration. It will set the configuration parameter DBSERVERALIASE as "svc_drda". Custom installation process is required if you want to disable DRDA setup in demonstration server instance.

Following are some DRDA configuration screenshot on Windows platform:

The custom installation process provides controls on initialize the demonstration server. You can exclude the DRDA configuration, if you wish. By default DRDA is selected.

Things to notice if you enable a custom configuration file on windows platform, DRDA support is removed.

By default IDS will configure TCP/IP port 9089 and drtlitcp or drsoctcp connection protocol for DRDA configuration.

Sanjit Chakraborty

[Read More]

IDS 11.50 made a significant improvement in installation process. Started with IDS 11.50 informix introduced a new versatile installation wizard (installer), which can automatically creates a customized database server configuration file (ONCONFIG) suitable for your system environment and create a demonstration database server during installation process.

Part of the installation process installer captures inputs from user. Then evaluates the input values to ensure settings are valid, and it calculates several values for other configuration parameters based on hardware settings and database instance needs. You can use the Instance Configuration Wizard in GUI or console installation modes to use this new feature. However, make sure you choose the option “Creating Demonstration Database Server Instance” during installation process to automatically create the customized configuration file.

There are little differences between UNIX and Windows installation wizard.

UNIX

• Checked 'Yes' for Use create an IDS demonstration database server instance
• Choose option for Customize the default configuration file

  
  
  

Windows

• On Windows platform the Instance Configuration Wizard is only available with custom setup in GUI mode.
• You must checked 'Demos' under select the feature you want to install
• The 'Enable a custom configuration file' must checked also

Following are some restrictions that you need to remember during installation:

• Installation directory must be empty
• The root chunk file must be empty or not exists. Installer will create the file.
• Parameters affected by the Instance Configuration Wizard are not available for silent installation.

During installation, Instance Configuration Wizard captured following input from user:

• Installation Directory
• Database Server Name
• Database Server Number
• Rootpath
• Rootsize
• No. of central processing units (CPUs)
• Memory: System RAM dedicated to the IDS server (in MB)
• No. of online transaction clients
• No. of decision support clients

Based on the above information installer will set following configuration parameters:
ROOTPATH, ROOTSIZE, MSGPATH, DBSERVERNAME, DBSERVERALIASES, SERVERNUM, DRLOSTFOUND BAR_ACT_LOG, BAR_DEBUG_LOG, DUMPDIR, JVPJAVAHOME, JVPHOME, JVPPROPFILE, JVPLOGFILE, ALARMPROGRAM, SYSALARMPROGRAM, JVPCLASSPATH, BUFFERPOOL, VPCLASS

If the Instance Configuration Wizard encounters a problem while validating or calculating configuration parameters for customize configuration file, the configuration file is created with default, workable configuration parameters and an appropriate message displayed.

The customized configuration file will save as 'onconfig.<DBSERVERNAME>' in etc directory under <INFORMIXDIR>.

The "Creating Demonstration Database Server Instance" option with installation process will create a demo database instance. Once the installation process complete, installer generate two script files called profile_settings (korn shell) and profile_settings.csh (C shell) for setting environment variable for demo server instance in $INFORMIXDIR/demo/server (%INFORMIXDIR%\demo\server for Windows) directory.

Following is a screenshot of instance configuration wizard on UNIX platform (console installation mode):



You must choose '1 - Yes' for create an IDS demonstration database server instance and '3- Customize the default configuration file to suit your needs and hardware' in console installation mode.

Following are some screenshot of instance configuration wizard on Windows platform (GUI installation mode):

You must select 'Custom' in GUI mode

Make sure to checked 'Demos' for create an IDS demonstration database instance

Make sure 'enable a custom configuration file to suit your needs and hardware' also checked

An example of server configuration setup. You need to insert values for customize the database server.

Sanjit Chakraborty





[Read More]

Upgrading Informix Dynamic Server Version 10.00 to Versions 11.10 or 11.50:

When installing IDS 11.10 or 11.50, if you choose the option "Upgrade from the previous version", all the server binaries will be upgraded to the newer version(s) automatically.

Upgrading Informix Dynamic Server from Version 11.10 to 11.50:

When installing IDS 11.50 on Windows, direct upgrade from IDS 11.10 is not supported. If “Upgrade from the previous version” is selected the following message pops up. Installer stops beyond this point.

Since the support to install both 11.10 and 11.50 on the same machine exists, it is recommended to choose the option “Install into a default/different directory” (shown in the panel below) to install IDS 11.50. Note: This will not upgrade IDS 11.10 to IDS 11.50.

As part of providing a folder name to install the product, a completely new path must be supplied. If the folder selected already contains binaries from IDS 11.10, then the following message pops up.

User can respond to the question “Do you want to select another folder? “. Clicking “yes”, the installer returns to the destination panel where they can provide a different folder. Clicking No, the installer goes to finish panel

The recommended approach to upgrade to 11.50 is

1. Uninstall IDS 11.10 using "Retain database, but remove server binaries option"
2. Save all the Registry Keys in HKEY_LOCAL_MACHINE\SOFTWARE\Informix\OnLine\
3. Install the later version (IDS 11.50) to the same path.
4. Make sure that you do not initialize the server when installing.
5. Copy the ONCONFIG file to the target and set parameters that are new for the current release.
6. Bring the server up using Control Panel->Services or any other method without initializing.

 

Snigdha Sahu[Read More]

Introduction:IDS 11.50 makes use of IBM Global Security Kit (GSKit) for data encryption and SSL communication. GSKit is deployed as part of IDS installation.

Issue/Solution

Due to the manner in which GSKit is deployed by the IDS installer, you may get a Windows installer error during IDS installation stating:

Error 1706. No valid source could be found for product IBM Informix Dynamic Server. The Windows installer cannot continue.

If GSKit 7 is not present on the machine, it will not be deployed during IDS installation. Furthermore, this error impacts the invisibility of IDS being deployed using silent mode of installation. If present on the machine, GSKit is deployed in [PROGRAM_FOLDER]\IBM\gsk7

After IDS installation, INFORMIXDIR (IDS installation directory) will contain the GSKit-related msi file "IBM Informix Dynamic Server.msi". Prior to any subsequent installation of IDS, clean entries related to the GSKit-related msi from the Microsoft installer database by running the following command:

msiexec.exe /x "IBM Informix Dynamic Server.msi" /qn

Note:The command above will not uninstall IDS. "IBM Informix Dynamic Server.msi" does contain the IDS application files or IDS-related information. Therefore, uninstalling IDS is not an alternate workaround.

Below is are the repro steps for the problem:

On clean machine, install IDS, OR

On a machine with no IDS installation present, run the Windows installer clean up utility and clean up all reference to IBM Informix Dynamic Server.

After installation, uninstall IDS and clean up all the remnants of INFORMIXDIR

Install IDS in a separate directory from the previous installation.

The problem will be fixed in IDS 11.50.xC3 release.

Tosin Ajayi

[Read More]

Most of us fairly familiar with errno -28 (No space left on device) during Assertion Failure (AF), while Informix Dynamic Server (IDS) generates diagnostics data (AF file and shared memory dump). Diagnostics data are very critical to determine the root cause of failure. AF files are generally not too big, where as shared memory dumps often huge in size, almost same as the total memory size used by the IDS instance. The lack of disk space can cause partially dump of shared memory file, which add very little or no value to diagnose the failure.

In large IDS systems, the amount of space required to dump the shared memory is excessive because of gigantic sizes of the resident segment. Most of it contains is BUFFERPOOL information. Large size of the shared memory dump file not only create space issue, it difficult also for technical support to extract useful information in a timely manner.

The IDS version 11.50 provides some flexibility to control how much memory is written to a dump file. We can exclude the buffer pool information from resident segment to significantly reduce the shared memory dump file size. Configuration parameter DUMPSHMEM and onstat both provide some new options to control the shared memory dump size.

Use the DUMPSHMEM configuration parameter to automatically create a dump file during AF. Set DUMPSHMEM to 2 to create a shared memory dump that excludes the buffer pool. You can dynamically change the value of DUMPSHMEM with onmode -wm and onmode -wf. The DUMPSHMEM can take following values:

        0 -  Do not dump shared memory during AF        1 -  Dump full shared memory (default)        2 -  Dump shared memory without bufferpool (new option)

The 'onstat -o' command also allows to dump shared memory file on-demand. Use the new ‘nobuffs’ options with 'onstat -o' to generate shared memory dump without bufferpool. If you use 'onstat -o' without 'nobuffs' option, the DUMPSHMEM configuration parameter controls the content of shared memory file. The 0 or 1 configuration value will generate full shared memory dump file and 2 exclude buffer pool information.

All oncheck options works on the shared memory dump file without buffer pool, except options that access buffer information e.g. -b, -B, -P.

Typically onstat shows segments as “FACADE” while working with full shared memory, where as shared memory without buffer pool shows as "FAÇADE NOBUFFERS".

Sanjit Chakraborty[Read More]

Introduction:

This article describes a customer’s experience with their poll thread configuration while upgrading from IDS 7.31.FD9 to IDS 10.00.FC6. This particular upgrade was related to their busiest IDS server running on an HP Superdome. Typically, one could observe upwards of at least 3000 short-lived soctcp connections on this system.

Original IDS 7.31 Configuration:

Key configuration settings that were active in the IDS 7.31 environment were initially used after upgrading to IDS 10.00:

• 23 CPU VPs
• 20 poll threads running on NET VPs
• multiple server aliases

Optimal IDS 10.00 Configuration:

An optimal configuration was ultimately determined and incorporated the following configuration settings in the IDS 10.00 server:

• 23 CPU VPs
• a handful (3-5) of poll threads running on NET VPs
• enable new IDS 10.00 ONCONFIG parameter, FASTPOLL
multiple server aliases

Relevant Testing:

Stress testing supportive of this optimal configuration was conducted on a 16-processor/32-core HP server using the latest IDS 7.31 and IDS 10.00 64 bit products. The testing involved a multi-threaded ESQL/C application that would spawn 3000 threads over 3 server aliases. Each thread would connect to the server, complete a small amount of read-only work and disconnect from the server 30 times. These 90,000 total connections mimicked the customer’s workload and considered poll threads running both on CPU VPs (inline) and on NET VPs against servers configured with 23 CPU VPs. The following chart shows results from the stress testing that were considered for the optimal customer configuration:

Jeff Laube[Read More]

History:

Through online forums and technical support cases, Informix users have requested the ability to limit the number of connections to IDS servers.

Introduction:

Available now in 11.50 IDS, the ONCONFIG parameter, LIMITNUMSESSIONS, can be used to define the maximum number of sessions that you want connected to IDS.

This ONCONFIG parameter uses the following syntax:

LIMITNUMSESSIONS maximum_number_of_sessions, print_warning

The maximum_number_of_sessions option defines the limit for the maximum number of sessions and can be set to a value in the range of 0 to 2,097,152. The value of 0 is the default and indicates that this feature is turned off.

The print_warnings option can be set to 1 or 0. When this value is set to 1, a warning message is written to the online.log when the number of sessions approaches the limit. These warning messages are not reported when the value is set to 0. The default is 0.

The limit imposed by LIMITNUMSESSIONS takes effect when the database server is shut down and restarted. It can also be started, modified or stopped dynamically by using onmode –wf or onmode –wm.

When the number of connections reaches this limit, new connection requests are rejected with the error -25571 Cannot create a user thread, until the number of connections fall below this limit. A message is reported to the online.log when this limit has been reached.

Database Server Administrators (DBSAs) are the exception to this limit. When the limit has been reached, a DBSA user will still be allowed to connect to IDS.

Example:

The following example specifies that you want a maximum of 100 sessions to connect to the server and that you would like a warning message printed to the online.log when the number of connected sessions approaches 100.

LIMITNUMSESSIONS 100,1

For more information:

http://publib.boulder.ibm.com/infocenter/idshelp/v115/index.jsp?topic=/com.ibm.admin.doc/ids_admin_1221.htm

Disclaimer:

This feature is not intended to enforce terms or conditions of the User License Agreement.

 

Jeff Laube

[Read More]

Introduction:Multiple installation of IBM Informix Dynamic Server is now enabled in IDS 11.50 xC2. With this, users will be able to install multiples copies of IDS on a single machine with the ability to create instance(s) per installation. For example, a user can have 11.50 xC1 and 11.50 xC2 co-existing on the same machine with instances related to each installation running on that machine.

With this new effort, a user that has an installation of IDS 11.50 can invoke setup.exe and will be presented with existing installation of IDS on the machine. The user can then make a choice between installing a new copy of IDS and maintaining an (one of the) existing copy(ies). If there is an existing installation of IDS 11.50 on a machine, a user that launches setup.exe in graphical mode will be presented a panel similar to the one below:

However, with an existing installation of IDS 11.50, launching setup.exe in silent mode will require a maintenance response file. Without a maintenance response file or with an installation response file, the installer will abort. To install a subsequent copy of IDS 11.50 in silent mode, the user should pass the ‘-multiple’ command line option to setup.exe.

In addition to the "-multiple" command line option, there are 2 command line options for maintenance namely "-path" and "-instnum". These 2 new command line options are used to launch maintenance mode for a specified installation. Since they perform the same functionality, they should be used interchangeably and not in conjunction with one another.

Usages of the newly implemented options:

-multiple usage

setup.exe -multiple

This option can be used in conjunction with other installation command line options. E.g.

setup.exe -multiple -s -f1"C:\TEMP\server.ini" -f2"C:\TEMP\server.log"

-path usage

setup.exe -path [installation path]

The user invokes setup.exe with the ‘-path’ option passing the installation path for which maintenance is required. This option can be used in conjunction with other maintenance command line options. E.g.

setup.exe -path [installation path] -s -f1"C:\uninst.ini"

-instnum usage

setup -instnum [installation number]

The user invokes setup.exe with the ‘-instnum’ option passing installation number for which maintenance is required. Note that each installation is tagged with an installation number in shortcut menu (except for the first installation which doesn’t have a tag). This option can be used in conjunction with other maintenance command line options. E.g.

setup.exe -instnum [installation number] -s -f1"C:\uninst.ini"

For more information on installing IDS, visit http://publib.boulder.ibm.com/infocenter/idshelp/v115/index.jsp

Tosin Ajayi

[Read More]

The newest version of OpenAdmin Tool for IDS, Version 2.22, is available now! The latest features center on a Enterprise Replication (ER) monitoring and security.

ER Plug-in Version 1.1: Version 1.1 of OAT’s ER plug-in greatly enhances OAT’s Enterprise Replication monitoring capability.

• The ER Routing Topology page has been transformed to allow monitoring of all nodes in the ER domain from a single page without having to drill-down on each node. Users can set thresholds for key ER statistics and then use the Routing Topology page to monitor alerts and profile data for each node in their domain. (Requires IDS server version 11.50xC2.)









• The ER Node Details pages have been expanded to show errors for the current node or the entire ER domain (Errors tab) and to list current values of the ER configuration parameters (Configuration tab).



• Check out a demo of the newest ER monitoring features here: ER Monitoring with Alerts Demo

Secure SQLToolbox: OAT admins can now choose to turn on an additional level of security for the SQL Toolbox pages. If “Secure SQLToolbox” is turned on, OAT users will have to re-authenticate in order to view schema data or use the SQL Editor. This additional layer of security can be used to ensure that OAT users are not automatically allowed free access to databases or tables as the user informix.

Download OAT Version 2.22 now at https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=swg-informixfpd

For additional information on OpenAdmin Tool for IDS, including feature details, screenshots and demos, go to www.openadmintool.org.

Also check out the new DeveloperWorks article on writing custom plug-ins for OAT: www.ibm.com/developerworks/db2/library/techarticle/dm-0808vonbargen

Erika Von Bargen[Read More]

Introduction

HTTPS protects the OAT webserver from eavesdropping, tampering, and message forgery. It protects the OAT webserver from hackers who are trying to secretly listen or interfere with the OAT network. Enabling HTTPS will encrypt OAT clients’ messages before sending it to the OAT webserver. This prevents hackers from listening over the line and stealing sensitive information. Sometimes hackers will setup a fake OAT webserver and deceive OAT clients as to whom the real OAT host is. Enabling HTTPS also allow OAT clients to authenticate with the OAT host, so that hackers cannot deceive OAT clients with a fake OAT webserver.

Please note that HTTPS only encrypts communication between OAT webserver and OAT client. It does not encrypt communication between IDS server and the OAT webserver.

IBM® Informix® Dynamic Server, Version 9.4 and later, enables encryption of data between IDS server and OAT webserver using an encryption communication support module. You can find more information in the following link:

http://www.ibm.com/developerworks/db2/library/techarticle/dm-0401dandekar/index.html

Enabling HTTPS in OAT will involve the following steps:

• 1. Replacing OAT’s Apache webserver with another mod_ssl enabled Apache webserver.
• 2. Creating an encryption key and a certificate for your new OAT webserver, so that OAT clients can authenticate your webserver based on your certificate.
• 3. Configure httpd.conf (the Apache configuration file) to enable HTTPS

Replacing OAT’s Apache Webserver with another mod_ssl enabled Apache Webserver

In order to use OAT with https, you will need to have an apache webserver, PHP with some extensions and the apache mod_ssl module. HTTPS functionality is provided by the apache mod_ssl module. Using the OAT automated installer will install an apache webserver and PHP with all the required PHP extensions, however apache webserver bundled with installer is NOT shipped with the mod_ssl module.

Therefore you have to install another apache webserver compiled with the mod_ssl module to replace OAT’s apache webserver. Then dynamically load OAT’s PHP apache handler (a file named libphp5.so, or php5apache2_2.dll on windows, which is the apache and php ‘glue’) to your new apache webserver.

Dynamically loading the mod_ssl module to OAT’s original apache webserver is not possible because the version of OAT’s original apache webserver is 2.2.4. Mod_ssl dynamic module only supports the older apache 1.3.x, It does not support OAT’s apache webserver.

On Linux and Mac OS X,

In order to compile Apache with mod_ssl support, you need to have OpenSSL installed. OpenSSL might have been installed on your Linux distribution already and you only need to find out the installation directory. Note that the OpenSSL binaries have to be 32-bit, because the binaries from the OAT automated installer are 32-bit. We suggest doing this only on a 32-bit machine so that there will be no architectural mismatch among the binaries.

If OpenSSL has not been installed already, you can download the latest source code release from here:

http://www.openssl.org/source/

Then you have to compile the OpenSSL source code. Note that you have to compile 32-bit OpenSSL binaries because the binaries from the OAT automated installer are 32-bit. This can be done by setting CFLAGS to be –m32. Use the following commands:

cd /path/to/openssl/source/code
export CFLAGS=-m32
./config --prefix=/openssl/installation/directory/ --openssldir=/openssl/installation/directory/
make
make install

Stop OAT’s apache webserver by running the /oat/installation/directory/StopApache script. Rename OAT’s Apache_2.2.4 directory to Apache_2.2.4_noSSL. This is a will serve as a backup copy of the apache binaries. You will also need to use some configuration files from this backup Apache directory in later steps. Do make a copy.

Then you have to compile the latest Apache with mod_ssl support. Download the latest Apache source code and compile with the following commands. Note that you have to compile 32-bit Apache binaries because the binaries from the OAT automated installer are 32-bit. This can be done by setting CFLAGS to be –m32. The compilation prefix should match the old OAT apache’s directory (/oat/installation/directory/Apache_2.2.4/)

cd /path/to/apache/source/code
export CFLAGS=-m32
./configure --prefix= /oat/installation/directory/Apache_2.2.4/ --enable-so --enable-ssl --with-ssl= /openssl/installation/directory/
make
make install

Right now Apache should be installed with mod_ssl support. Use the following commands to check if mod_ssl is enabled in Apache.

cd /oat/installation/directory/Apache_2.2.4/bin/
./httpd –M
(Here you will see a list of Apache modules. See if the SSL module is on the list)

Then you have to change the Apache configurations file to load OAT’s PHP Apache handler (The PHP and Apache ‘glue’). Edit the Apache configuration file (/oat/installation/directory/Apache_2.2.4/conf/httpd.conf). Add the following lines. Uncomment if these lines exist but are commented out.

LoadModule php5_module /oat/installation/directory/PHP_5.2.4/libphp5.so
AddType application/x-httpd-php .php
PhpIniDir ‘/oat/installation/directory/PHP_5.2.4/lib’
Setenv INFORMIXDIR ‘/oat/installation/directory/Connect_3.50/’

Search for the line “Listen 80” in the httpd.conf file. This indicates the port number that the OAT webserver should run on. You should use the same port number as OAT’s original Apache webserver that comes with OAT installer.

Search for the line “ServerName www.example.com:80” in the httpd.conf file. This indicates the name and the port that the server uses to identify itself. You should use the same ServerName as the original non-SSL Apache webserver that comes with OAT installer.

Search for the line “DirectoryIndex index.html” in the httpd.conf file. This sets the files that Apache will serve if a directory is requested. Change this line to “DirectoryIndex index.html index.php”

Copy the file /oat/installation/directory/Apache_2.2.4_noSSL/bin/envvars to /oat/installation/directory/Apache_2.2.4/bin/envvars. Apache will read this file to setup the Apache environment variables for OAT to run.

Copy the entire directory /oat/installation/directory/Apache_2.2.4_noSSL/htdocs/openadmin/ to /oat/installation/directory/Apache_2.2.4/htdocs/openadmin/. All the OAT source code resides in this directory.

Run the following commands to make sure that the PHP Apache handler is properly loaded.

cd /oat/installation/directory/Apache_2.2.4/bin/
./httpd –M
(Here you will see a list of Apache modules. See if the php5 module is on the list)

Right now your new webserver should be properly setup for OAT. You may start your webserver by running /oat/installation/directory/StartApache and visit OAT using your web browser.

Note that this server has mod_ssl enabled but HTTPS is not switched on yet. A few more steps are needed to enable HTTPS in the following sections.

On Windows,

First we have to download and install Openssl from the following website:

http://www.openssl.org/related/binaries.html

Then we need to setup Apache with mod_ssl support. Download the latest Win32 Binary including OpenSSL 0.9.8g (MSI Installer). This should be available here:

http://httpd.apache.org/download.cgi

Stop the OAT Apache webserver. There should be a OpenAdmin shortcut in the start menu. You should be able to stop the OAT Apache webserver from there. Make sure that the Apache Monitor is not running on your system tray.

Rename OAT’s Apache_2.2.4 directory to Apache_2.2.4_noSSL. This is a will serve as a backup copy of the apache binaries. You will also need to use some configuration files from this Apache directory in later steps. Do make a copy.

Run the Apache MSI installer. Do a typical install and choose the installation directory to be /oat/installation/directory/Apache_2.2.4

Edit the Apache configuration file (/oat/installation/directory/Apache_2.2.4/conf/httpd.conf). Add or uncomment the following lines in the httpd.conf file:

LoadModule php5_module "c:\oat\installation\dir\PHP_5.2.4\php5apache2_2.dll"
LoadModule ssl_module modules/mod_ssl.so
AddType application/x-httpd-php .php
PhpIniDir 'c:\oat\installation\dir\PHP_5.2.4'

Search for the line “Listen 80” (or “Listen 8080”) in the httpd.conf file. This indicates the port number that the OAT webserver should run on. You should use the same port number as OAT’s original Apache webserver that comes with OAT installer.

Search for the line “ServerName www.example.com:80” in the httpd.conf file. This indicates the name and the port that the server uses to identify itself. You should use the same ServerName as OAT’s original Apache webserver that comes with OAT installer.

Search for the line “DirectoryIndex index.html” in the httpd.conf file. This sets the files that Apache will serve if a directory is requested. Change this line to “DirectoryIndex index.html index.php”

Search for the line “setenv INFORMIXDIR” in the OAT’s original Apache’s configuration file (c:\oat\installation\dir\Apache_2.2.4_noSSL\conf\httpd.conf). This line sets the INFORMIXDIR variable in the Apache environment for OAT. This has NOT been set in your new Apache webserver yet. Copy this line to your new Apache webserver’s httpd.conf file. You can put this at the end of the httpd.conf file.

Copy the entire directory c:\oat\installation\dir\Apache_2.2.4_noSSL\htdocs\openadmin\ to c:\oat\installation\dir\Apache_2.2.4\htdocs\openadmin\. All the OAT source code resides in this directory.

Run the following commands in a command prompt to make sure that the PHP Apache handler and the mod_ssl modules are properly loaded.

cd c:\oat\installation\dir\Apache_2.2.4\bin\
httpd.exe –M
(Here you will see a list of Apache modules. See if the php5 module and the ssl_module are on the list)

Right now your new webserver should be properly setup for OAT. You may now click on ‘Start Apache Service for OpenAdmin’ in OpenAdmin Menu under the Start Menu. You should be able to access OAT using your web browser.

Note that this server has mod_ssl enabled but HTTPS is not switched on yet. A few more steps are needed to enable HTTPS in the following sections.

Creating an Encryption Key and a Certificate for your OAT Webserver

Keys are used in encryption and decryption. They usually come in pairs, the public key and private key. Public keys are used to encrypt messages and private keys are used to decrypt messages. The message encrypted by a public key can only be decrypted by its associated private key.

A HTTPS enabled webserver will have its own pair of public and private key. The webserver will make its public key available to all clients. But nobody else except the webserver will know its private key. Thus all clients will be able to encrypt messages, but only the webserver can decrypt the message. If a client wants to send encrypted messages to the webserver, he will encrypt the message with the public key provided by the webserver and then send out the message. The webserver will use its secret private key to decrypt the client’s message. Hackers who are trying to listen over the network and steal the client’s message will not be able to decrypt the client’s message, because the hacker does not have the private key.

A certificate is a document authenticating a person to be whom he claims to be. A HTTPS enabled webserver will have its certificate, signed by a trusted certificate authority, to authenticate itself to be the real webserver that the clients are talking to. Before a client talks to the webserver, he will be prompted to view and accept the webserver’s certificate. To the client can make sure that the webserver’s certificate is signed by a trusted certificate authority before proceeding with the communication. This prevents hackers from setting up fake webservers to deceive clients.

Once a webserver is HTTPS enabled, clients get to choose whether they want to do a normal connection to the webserver or a secure connection to the webserver. If clients want to do a normal connection, they will type “http://webserver_url” in their web browser. If clients want to do a secure connection, they will type “https://webserver_url”. In a secure connection, the webserver will send the client its certificate and its public key. The client will be prompted to view and accept the webserver’s certificate before the webpage is loaded, so that the client can be sure that the webserver is not a fake webserver created by hackers to deceive you. Once the client accepts the certificate, the client’s web browser will use the public key that it received from the webserver to encrypt communication. Only the webserver has the associated private key, thus only the webserver can decrypt the client’s encrypted communication. Hackers cannot secretly listen and decrypt the communication.

To generate private/public key pairs and the certificate, we use the openssl executable. You should be able to find it under the bin directory of your openssl installation.

To generate a private key, use the following command:

openssl genrsa -des3 -out privkey.pem 2048

The private key will be stored in the privkey.pem file. Store this file in a secure location because this is the webserver’s secret decryption key. This file will be used to generate the associated public key. When we generate the certificate, it will look for this file, it will generate its associated public key and include the public key in the certificate.

To generate a certificate, we create need to create a certificate signing request, and send the certificate signing request to a trusted certificate authority (Such as VeriSign). The authority will then issue you a certificate. Use the following command to generate a certificate request. For more information about the process of signing certificate requests, contact your certificate authority.

openssl req -new -key privkey.pem -out cert.csr

If you don’t want to deal with another certificate authority and you just want to create a certificate for yourself, you can create a self-signed certificate. Note that this is not the recommended way of creating a certificate.

openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

Openssl will prompt you to enter your personal information. After that the certificate will be stored in the cacert.pem file. This file will be displayed to web clients to verify your identity. It will also include the public key for web clients, thus they can start encrypting communication.

Openssl will also prompt you to enter a pass phrase. This is an extra layer of security. You will need to enter your pass phrase when you start your webserver.

For more information about encryption keys, please consult the OpenSSL documentations:

http://www.openssl.org/docs/HOWTO/keys.txt

For more information about certificates, please consult the OpenSSL documentations:

http://www.openssl.org/docs/HOWTO/certificates.txt

Configure httpd.conf (the Apache configuration file) to enable HTTPS

Edit the apache configuration file.The file should be /oat/installation/directory/Apache_2.2.4/conf/httpd.conf

Search for the following line:

#Include conf/extra/httpd-ssl.conf

This line is commented out by default. Uncomment it so that httpd.conf will include the apache ssl configuration file.

Then edit the apache ssl configuration file.The file should be /oat/installation/directory/Apache_2.2.4/conf/extra/httpd-ssl.conf

HTTPS will require one more ssl port. By default, the ssl port number is set to be 443. Make sure this port is available. If you wish to change this port, edit the Listen directive and the Virtual Host section of the httpd-ssl.conf file.


Search for the ‘SSLCertificateKeyFile’ directive and the ‘SSLCertificateFile’ directive in the httpd-ssl.conf file. These two directives indicate the location of your private key file and the certificate file. Make sure that they point to the privkey.pem and the cacert.pem created in the previous section.


Search for the ‘SSLCipherSuite’ directive. This directive indicates the ciphers for your HTTPS webserver. By default the HTTPS webserver will accept all encryption ciphers. If you wish to accept only the seven strongest ciphers, edit the directive as follow, or else you can keep the default configuration:

SSLProtocol all
SSLCipherSuite HIGH:MEDIUM

For more information about HTTPS configurations, please refer to the following website:
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

Final Testing

Your OAT webserver should be secured with HTTPS right now. Restart your webserver and launch OAT with your web browser. Instead of using http://hostname:portnumber/openadmin, try using https://hostname:ssl_portnumber/openadmin. You will be prompted to view and accept OAT webserver’s certificate before the OAT login page is launched.


Note:
On Linux, you can restart your webserver by running the StopApache script and then the StartApache script in the OAT installation directory. You will be prompt to enter the pass phrase before you can start you webserver.


On Windows, you have to restart your webserver with the command prompt. Starting the webserver with Apachemonitor.exe or with the start menu shortcuts doesn’t work because they do not support pass phrases. Use the following command to restart your webserver.

httpd –k restart

If you wish to use Apachemonitor.exe or with the start menu shortcuts to control your webserver, you have to disable pass phrases. Note that this reduces the level of security.

Run the following command:

cd c:/openssl/installation/directory/bin/
openssl rsa -in privkey.pem -out privkey_nopassphrase.pem

Now an unencrypted copy of your private key will be stored in the privkey_nopassphrase.pem file. Edit your httpd-ssl.conf file SSLCertificateKeyFile directive to use the privkey_nopassphrase.pem file instead of the privkey.pem file. Then you will not be prompted to enter a pass phrase when starting your webserver. Apachemonitor.exe and the start menu shortcuts should work now.

Leo Chan

[Read More]

OAT 2.21 has incorporated IDS Enterprise Replication monitoring, a plugin manager to allow customization of OAT functionality and an automated installer on Mac OS X. OpenAdmin Tool for IDS (OAT) is a PHP-based Web browser administration tool for IDS 11 and IDS 11.5 that provides the ability to administer multiple database server instances from a single location. OAT makes administration easy by allowing you to drill down on resource usage and events, view query performance statistics, and much more. And since the tool is written in PHP and available as open source, you can customize it with your own business logic and installation requirements.

New feature highlights of OpenAdmin Tool for IDS version 2.21 include:

• Mac OS X Automated Installer: Automatically setup Apache, PHP, I-Connect and OAT on Mac OS X. For users who want to use or install their own Apache/PHP configurations, OAT is also released as a stand-alone package.



• IDS Enterprise Replication Monitoring: Monitors Spool Disk usage, Send and Receive queues, Receiving/Apply statistics, Routing Topology, node details and much more. OAT Enterprise Replication is provided as a separate plugin. The latest automated installer will install the ER plugin for you, you can also manually place the ER plugin zip file under the OAT plugin_install directory and install it with the plugin manager (requires php zip extension).



• Plugin manager: A simple way to customize OAT functionality. You can download customized OAT plugins and install it with the plugin manager. Sample plugin code is also provided and you can follow the sample in creating your own plugins. Note that the plugin manager requires the php zip extension. The latest OAT2.21 automated installer includes the php zip extension, but OAT2.20 installer does not.

Download OAT version 2.21 now at https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=swg-informixfpd .

Click here to see OAT Enterprise Replication at work!

Leo Chan[Read More]