Develop Reference

Monitor Websphere Liberty Profile with JConsole

I'm trying to monitor my WLP v8.5.5 with JConsole.
My Liberty profile is up and running and has SSL properlly configured.
I also have configured as features the monitor-1.0 and restConnector-1.0.
After that I sftp'ed from my WLP the restConnector.jar to my machine and created a keystore on my machine as described here
After that I'm trying to start JConsole with this command:
jconsole -J-Djava.class.path="C:\Program Files\Java\jdk1.7.0_67\lib\jconsole.jar;
C:\Program Files\Java\jdk1.7.0_67\lib\tools.jar;
<whereIDownloaded>\restConnector.jar"
-J-Djavax.net.ssl.keyStore="<locationToCreated>\keystore.jks"
-J-Djavax.net.ssl.keyStorePassword=<password>
-J-Djavax.net.ssl.keyStoreType=jks
-J-Dcom.ibm.ws.jmx.connector.client.disableURLHostnameVerification=true
However, when I try to connect to my WLP via remote with the string:
service:jmx:rest://<ip>:<httpsPort>/IBMJMXConnectorREST
As a credential I'm passing a user configured on <administrator-role>.
I get a JConsole error saying:
Secure connection failed. Retry insecurely?
I don't get why I'm seeing this error, and I don't see any logs to see why it failed.
My next step if getting the keystore from WLP and try that on my machine but I don't think that makes much sense.
Does anyone have any suggestion on where should I look for logs or on that I'm doing wrong?
Thanks in advance!
Reference:
http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/twlp_mon.html?cp=SSAW57_8.5.5%2F1-3-11-0-6&lang=en

Ensure you don't have localConnector-1.0 feature. If you have that, please remove it. You can find more details here Remote monitoring of Liberty with Health Center. Although it discusses Health Center connection, I was testing using JConsole also.
UPDATE
You might be invoking console with incorrect params - it should be trustStore not keystore see below. And for start use key.jks copied from Liberty (as you need Liberty certificate as trusted)
jconsole -J-Djava.class.path=%JAVA_HOME%/lib/jconsole.jar;
%JAVA_HOME%/lib/tools.jar;
%WLP_HOME%/clients/restConnector.jar
-J-Djavax.net.ssl.trustStore=key.jks
-J-Djavax.net.ssl.trustStorePassword=Liberty
-J-Djavax.net.ssl.trustStoreType=jks
For details check Configuring secure JMX connection to the Liberty

As an additional note - you must not have a webAppSecurity entry with loginFormURL set in your server.xml as this will cause the JMX login to fail (e.g., <webAppSecurity loginFormURL="login.html"/> is problematic). Each individual WAR needs to set their own login-config and not rely on any global method of configuring logins.
`

Weblogic 10.3 can not be accessed after enableing Administrator port

I was was following this blog to set up some SSL connection. One-Way SSL with JAX-WS using JDeveloper 11gR1 and WLS 10.3.1
One of the steps mentioned is to enable the Administration port from weblogic console. I did that and change the Admin port. But, after saving everything get missed up the conclose closed and the I could not run the application form Jdeveloper .
The Error message is:
User 'principals=[weblogic, Administrators]' has administration role. All tasks by adminstrators must go through an Administration Port.
**** Authentication error while connecting to application server IntegratedWebLogicServer. Please check settings.
**** Failed to complete start-up of application server IntegratedWebLogicServer.
[Server Instance IntegratedWebLogicServer is shutting down. All applications currently running will be terminated and undeployed.]
[Forcing termination of IntegratedWebLogicServer]
taskkill /F /PID 7480
Process exited.
This blog: SOA OIM integration and WebLogic administration port
discuss this issue BUT under the assumption that I can access the weblogic console. But it is not happening for me.
I am using Jdeveloper 11.1.1.7 and the weblogic 10.3

The problem solved by deleting the system files for jdeveloper. This action will re insinuate the weblogic server. This file is located in my case in the following path: C:\Users\[UserName goes here]\AppData\Roaming\JDeveloper.
Check this thread form Oracle community for more information : Authentication error while connecting to application server IntegratedWebL

Kerberos SSO with Apache and Tomcat under JDK5

I'm new with this authentication through kerberos protocol so I tried to read a lot of howto on it but seems like I can't find any specifics with my constraints. Here is what I have :
An Active Directory Server on which users authenticate to log into their workstations
Each end user uses IE 7 to connect to my intranet application
An Apache server with load balancing
Some Tomcats servers acting as workers for the Apache server.
on each tomcat, I have 2 jakarta servlet running, users connect only on one servlet (further i will call it the servlet as if there is only one)
my tomcats need to run under jdk5. not jdk6 or jdk4. it's jdk5 period.
Now I want one to automatically get logged on my servlet. Basically I just need my servlet to retrieve the client's principal then I can manage the rest.
Based on what I understood, my client has a ticket, he ask the KDC for a special ticket for accessing the apache server, then he tries to connect to the Apache server. Based on his keytab, the apache server then decode the auth data and grant/refuse the access to specified resource.
Am I right? please guide me through this, I've been reading pages for 4 days and still no clue on which solution is the more appropriate. I tried mod_auth_kerberos for Apache but instead of grabbing the user's ticket he ask it like a basic auth. Apparently spgneo
Thanks

Ok I got this working :
Install Kerberos 5 + apache 2 + mod_auth_kerb.
On your AD, generate a keytab with only the principal you will use for Apache, I use HTTP/apache.mydom.com#MYDOM.COM
Put this keytab file on your apache server and make it readable only
by your Apache user.
Then edit your apache conf with these directive for your secure
location
apache.conf:
[…]
ServerName apache.mydom.com:80
[…]
LoadModule auth_kerb_module modules/mod_auth_kerb.so
[…]
<LocationMatch /secure)>
[… some other stuff …]
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Authentification requise"
KrbAuthRealms MYDOM.COM
#this allows user to be saved in the request
KrbSaveCredentials on
#this one force Negotiate AuthType instead of basic fallback
KrbMethodNegotiate on
#this trim the realm from username saved in the request (request.getRemoteUser() will give you "user" instead of "user#MYDOM.COM"
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Krb5Keytab /install/binaries/httpd/apache.keytab
KrbServiceName HTTP
require valid-user
</LocationMatch>
And the one thing I almost failed to find on the web, you have to modify your tomcat server config (tomcat/conf/server.xml) :
<Connector [... AJP connector configuration ...] request.tomcatAuthentication="false"/>
This is really important because without it you tomcat won't retrieve any info from tomcat auth.
Don't forget too, DNS is really really really really important for a Kerberos install. If you have any issue try checking your DNS for all of your servers.

SSL on Tomcat 6.0

I've been trying all day to set Tomcat 6.0 up for SSL. I know it shouldn't be that hard. I've followed the Tomcat documentation in creating my own Certificate, configuring the connectors in the server.xml file.
When I go to https://localhost:8443, (8443 is the port I defined in the connector) my certificate does not render on the screen, and my browser tells me that it was unable to make a secure connection to the server and that my client may not have the certificate.
My question is, why isn't my certificate rendering for the user to say "Trust" or "Not"?

There's a full documentation on SSL Howto for Tomcat 6. I don't know how far you've gone to setting up your SSL for me to help you.
Make sure that in server.xml in APACHE_HOME/conf has both Connector for port 8080 and 8443 enabled.

Do you happen to have a tcnative-1.dll file in apache-tomcat-6.xxx\bin\ folder?
If so, it will not work with your current <Connector/> configuration. Remove the file or rename the extension and restart the tomcat server again.
This is stated in "Edit the Tomcat Configuration File" section of http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

I ended up figuring it out.
The issue was regarding to my protocol variable in my Connector:
This is what I had: protocol="HTTP/1.1"
Now I have this: protocol="org.apache.coyote.http11.Http11Protocol"
The only issue now is that chrome or IE won't run the site as HTTPS because i signed the certificate myself and am not a CA.

Sun Directory Server can't connect ldap server

I'am installing ArcGisServer for the Java plataform on Centos 5.5 x86_64, this is not a supported platform but I have overcome almost every problem preventing the success of the installation. It uses exhaustively Sun Directory Server. The last error i receive was:
ldap_simple_bind: Can't connect to the ldap server - No route to host
It happens in other applications which makes uses of it, so it seems to be an specific problem of Sun Directory Server on linux and solaris. There is no reported solution. Usually I search the problem as much as I can but this time I have reached my patience and I need it working as soon as posible. I recognize this as an excellent forum because of it's community and quality of answers, ¿can anybody help me with this?

The "No route to host" error suggests that the issue is one of network connectivity between your ArcGIS server (the Sun Directory Server component, as you mention) and the LDAP server. So, a few things to examine, in order:
Do you have an LDAP server set up and running?
Is your LDAP server reachable from your Centos machine outside of the ArcGis server?
Is your ArcGis configured with the correct address to the LDAP server - should be in the web.config file? Example below:
<connectionStrings>
<add name="ADConnectionString"
connectionString="LDAP://SERVER_LDAP:389/ou=Sigestredi,o=Sicondef,dc=aplicaciones,o=mdef,c= es" />
</connectionStrings>
Disclaimer: I don't know anything about the ArcGIS server per se - I'm just diagnosing the "no route to host error" with a few snippets I picked up from some quick searches of the ArcGis forums.

ArcGIS includes a Sun Directory Server on it, so arcgis server and ldap are on the same machine. The port is set to 62000. When I run the diagnostic tool the DG028 fails:
DG028 - check LDAP server: is listening
I made a prove using nmap as:
nmap localhost -p62000
And it says it is opened. I don't know how to verify if LDAP is up and running, the startup log doesn't show anything wrong. I have found a config file named ldap.conf:
url ldap://name.subdomain.domain:62000/dc=name,dc=arcgis
admnm agsadmin
And my /etc/hosts is:
127.0.0.1 localhost localhost
ip_direction name.subdomain.domain name.subdomain.domain
I don't have an alias for "name", so:
ping name.subdomain.domain
Works
But:
ping name
Doesn't work
I have never used ldap so I don't know what should be on "dc". Could my hosts file be malformed or is my ldap.conf?
Another information is that the computer I am using is part of a domain. When I installed Centos, /etc/hosts file had an alias for the loopback interface as localhost.localdomain but i removed it.
I would appreciate any help.

I have solved my problem, the problem was on my /etc/hosts file. I added an alias for my ip direction:
127.0.0.1 localhost localhost
ip_direction name.subdomain.domain name
Then I run the ServerConfig script. This is a successful installation of ArcGIS Server for the Java platform on Linux. Thanks Greg for your guide.