I have a java application that is using hibernate to do a JNDI lookup for the datasource in Websphere Application Server which then talks to a MSSQL database.
The security team has recently patched the Websphere server 8.5.5.4 to disable SSLv3.
As such I'm getting a com.ibm.websphere.ce.cm.StaleConnectionException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encyption. Error: "SSLv3 SSLContext not available".
Before this, I could access the data without any issues.
What can I do to overcome this issue? Do I need to configure the application to use TLS?
I'm using Hibernate 4.3.7.
The hibernate config looks like this.
<hibernate-configuration>
<session-factory>
<property name="hibernate.connection.driver_class">net.sourceforge.jtds.jdbc.Driver</property>
<property name="connection.datasource">jdbc/testing</property>
<property name="hibernate.dialect">org.hibernate.dialect.SQLServerDialect</property>
<mapping resource="myApplication.hbm.xml" />
</session-factory>
</hibernate-configuration>
Any help would be greatly appreciated.
I have this issue yesterday.
I solved it by using sqljdbc4.jar instead of sqljdbc4.1 and it works fine.
Maybe you should look at the MSSQL side to check whether TLS (at least 1.0 version) is supported. If not try to enable it.
Otherwise a (not recommended from security view) fix is to enable SSLv3 temporarily by using the following JVM argument until you find a way to communicate through TLS:
-Dcom.ibm.jsse2.disableSSLv3=false
I found a solution. Try updating your sqljdbc4.jar file - it turns out mine was outdated. Alternatively, I also got it running with the solution by #trikelef that enables SSLv3 - but this opens security issues.
Related
I keep getting
The server cannot create an EntityManagerFactory factory for the default persistent unit from the org.hibernate.ejb.HibernatePersistence provider
when I try to run the web application(.war) on the WebSphere 7 + Oracle .This worked well so far under the tomcat + MySql.
my persistance.xml's config
<persistence-unit name="default">
<provider>org.hibernate.jpa.HibernatePersistenceProvider</provider>
<non-jta-data-source>src/test</non-jta-data-source>
<properties>
<property name="hibernate.dialect" value="org.hibernate.Oracle10gDialect"/>
<property name="hibernate.hbm2ddl.auto" value="validate"/>
<property name="hibernate.connection.release_mode" value="after_transaction"/>
</persistence-unit>
There were several solutions for this, after googling. But there was no luck even after trying them for about 2 days.
To fix this issue do we need to install any fix-pack in WebSphere?
Please find the stack-trace files in below link.
https://www.ibm.com/developerworks/community/forums/html/topic?id=e54136aa-fbe0-4576-a41c-4b438475f0a5
In WebSphere v7 to use container managed JPA you need to install feature pack for JPA and it will only support JPA 2.0.
Based on your logs it looks like you are using Hibernate 4.3 which is JPA 2.1.
You cant use that with classic WebSphere Application Server, see Deploying application using Hibernate JPA 2.1 to IBM WebSphere for more details.
So you either would need to downgrade to Hibernate 4.2, use application managed Entity manager, or migrate to WebSphere Liberty Profile server 8.5.5.6 or later which fully supports JPA 2.1.
If your application works on Tomcat, I'd suggest trying WebSphere Liberty, which is also lightweight, developer friendly server, available to download for free - https://developer.ibm.com/wasdev/
Setting up an HTTP proxy for Java JVM 6.x isn't working for me; I'm hoping someone can spot what I'm missing.
I have a Java application deployed on JBOSS 5.1.2 that makes several calls to external web services. I'd like to be able to intercept these calls using a proxy: Fiddler version 4.4.8.0.
After doing an SO search I added the following flags to my JBOSS VM parameters at startup:
-DproxySet=true -Dhttp.proxyHost=localhost -Dhttp.proxyPort=8888 -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8888
I'm running JBOSS in IntelliJ 14.
I can see traffic from the browser to the application if I start JBOSS, Fiddler, and open the UI in Chrome. I do not see any calls from JBOSS to external services being intercepted. I thought I would see all the calls from JBOSS to external services in addition to those from the browser to JBOSS.
Update:
I tried adding these to properties-service.xml per this SO answer - no joy.
I'm running Spring 3, using Apache HttpClient as my web service client. I'm going to look into configuring proxy just for it.
Thanks to bmargulies and anyone else who looked at this. I have a solution that I hope will help someone else.
Adding -Dhttp.proxyHost parameters to my JVM startup options did nothing.
Adding those same parameters to JBOSS 5.1.2 configuration in my deployment properties-services.xml did nothing.
I believe that using Spring 3.x is a factor in explaining this behavior. I had to tell the Spring web service clients to use a proxy.
I added some Spring beans to wire in a Fiddler proxy HttpClient and injected that into the web service client, replacing the non-proxied version.
It failed the first time I tried it. It took me a while to figure out that the Apache Commons HttpConfiguration class didn’t follow the Java bean standard, so Spring blew up when it tried to wire it. I had to use the Spring MethodInvokingFactoryBean to get around it.
Here's the pertinent Spring configuration XML:
<!-- New beans for Fiddler proxy -->
<bean id="fiddlerProxyHost" class="org.apache.commons.httpclient.ProxyHost">
<constructor-arg name="hostname" value="localhost"/>
<constructor-arg name="port" value="8888"/>
</bean>
<bean id="fiddlerProxyHostConfiguration" class="org.apache.commons.httpclient.HostConfiguration"/>
<bean id="fiddlerProxyHostSetter" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="fiddlerProxyHostConfiguration"/>
<property name="targetMethod" value="setProxyHost"/>
<property name="arguments" ref="fiddlerProxyHost"/>
</bean>
<bean id="fiddlerProxyClient" class="org.apache.commons.httpclient.HttpClient">
<property name="hostConfiguration" ref="fiddlerProxyHostConfiguration"/>
</bean>
Now I can see the calls from the application to the web service in Fiddler. Joy!
Those parameters, first and foremost, are read by HttpURLConnection. They are specific to HTTP, of course, and so any other means of connecting to the outside world will necessarily ignore them.
There are many good reasons for code to avoid HttpURLConnection and just open a TCP connection through a plain old socket, even if that code plans to talk HTTP. HttpURLConnection has several 'browser emulation features' that get in the way. For example, it's broken for CORS and rejects some legitimate HTTP verbs.
Code that does that and in turn happens to do HTTP might choose to respect those parameters, and it might not. For example, I'm reasonably sure that the Apache Commons HTTP library gives the caller a choice.
If you put JBoss in a debugger and break on the socket connection primitives, I think you'll find out what's happening to you pretty quick in this respect.
I've this project: https://github.com/AndreaCatania/libreria
I've deployed this project into WildFly 8.2 and when it get outage of the DB connections the AS can not reconnects automatically, and the application is freezed (I have to restart AS).
If I deploy the same project into GlassFish i've no problem.
How can I resolve this issue?
WildFly configuration:
https://github.com/AndreaCatania/libreria/blob/master/standalone-full.xml
https://github.com/AndreaCatania/libreria/blob/master/standalone.xml
On your hibernate.cfg.xml you can add lines like these:
<property name="hibernate.c3p0.validate">true</property>
<property name="hibernate.c3p0.preferredTestQuery">select 1</property>
Which will validate connections to Database. Taken from https://confluence.atlassian.com/display/CONF43/Surviving+Database+Connection+Closures
You seem to be using C3P0 which has known problems when the database goes down. You should consider switching to HikariCP which responds better in such situations. Here is an excellent comparison of the various connection pools under database outage.
Alternatively, consider using the pooling functionality provided by the app server.
is it possible to use the CAS 4.x Server with Spring Security without SSL?
I already tried to edit the CAS Server settings.
I added
<bean id="ticketGrantingTicketCookieGenerator"
class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="TGC"
p:cookiePath="/cas" />
to the ticketGrantingTicketCookieGenerator.xml
and I also added
<bean id="warnCookieGenerator"
class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASPRIVACY"
p:cookiePath="/cas" />
to the warnCookieGenerator.xml
I still get the following error from CAS:
Authentication failed because url was not secure.
Is there any other configuration which can make CAS without SSL possible or isn't it possible the current version?
Thanks in advance...
CAS Server were made to be a secure channel to do authentication. So the CAS Server does not work with HTTP. You can change the source of CAS to do it for you, but this does make sense for me.
<bean id="proxyAuthenticationHandler"
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" p:requireSecure="false"/>
I am working on a Java application using Hibernate.
I would like to deploy it on Elastic Beanstalk (Amazon Web Services) to be able to scale accordingly.
RDS is the database I want to use.
However, I do not know how to give my configuration settings to Elastic Beanstalk. Apparently it is now possible, without having to create an AMI and to use this AMI for each new server (when autoscaling).
I use :
hibernate.cfg.xml
server.xml (link to hibernate.cfg.xml)
But I want to scale easily, so no "manual configuration of EC2 instance" to input those files.
So how can I give those settings to my application without the two files ?
How to deploy on Elastic Beanstalk with those info ?
Amazon Relational Database Service (RDS) is a web service to setup relational databases in the cloud. RDS supports relational database engines such as MySQL, Oracle, SqlServer. For MySQL change the hibernate.cfg.xml like below
<session-factory>
<property name="dialect">org.hibernate.dialect.MySQLInnoDBDialect</property>
<property name="connection.driver_class">com.mysql.jdbc.Driver</property>
<property
name="connection.url">jdbc:mysql://my_sports_entertainment_db_url/news</property>
<property name="connection.username">my_username</property>
<property name="connection.password">my_password</property>
</session-factory>
Also check How to 'switch' from MySQL to Amazon RDS with minimal application impact?
I can see a way to do this, but it isn't pretty.
Your instance configuration file can include container commands. These run after the container and application are installed, but before the application is started. At this point, it is possible to edit the Tomcat context.xml file to add a datasource. The text you need to add is the usual datasource configuration. Your problem is that you have to do it from a script. The easiest thing might be to write the configuration and deliver it with your application, then use a container command to apply the mighty sed to splice it into the context.xml.
You have another problem in that the actual configuration you need to write must include things like the hostname, username, and password for RDS, which you won't have during development. AWS does expose these to Java through system properties, so the information must be on the machine somewhere. If you could find it, you could mix it into the configuration when you splice it into the context.xml.
Whilst this may be possible, as i said, it isn't pretty. It feels like a hack. There must be a better way of doing this.