Friday, June 15, 2012

WAS 8 has SSL turned on for RMI by default

As it appears WAS 8 comes with SSL turned on for RMI/IIOP connections. That subtle configuration difference can give you a lot of headache. Especially if you, as one of our clients, are trying to connect as JMS thin client. Client side exception you may encounter will be similar to this one
javax.naming.ServiceUnavailableException: A communication failure occurred while attempting to obtain an initial context with the provider URL: "iiop://localhost:2812".  Make sure that any bootstrap address information in the URL is correct and that the target name server is running.  A bootstrap address with no port specification defaults to port 2809.  Possible causes other than an incorrect bootstrap address or unavailable name server include the network environment and workstation network configuration. [Root exception is org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible:
Forwarded IOR failed with: java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine:host=mresetar-t510,port=0
.
.
.
Caused by: java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine
 at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:391)
 at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:252)
As stack trace has nothing to point you in right direction you may wander around and try to change version of JMS client and who-knows-what. If you want to change JMS client (you're on Java 6) and really want to use SSL then you could follow notes found here to enable security and here to setup JMS client.
You can test this by sending JMS message to server by putting com.ibm.ws.ejb.thinclient_8.0.0.jar & com.ibm.ws.sib.client.thin.jms_8.0.0.jar in classpath and running class with following VM arguments:
-Dcom.ibm.CORBA.Debug=true 
-Dcom.ibm.CORBA.CommTrace=true
-Dcom.ibm.CORBA.Debug.Output=client.log
-Dcom.ibm.SSL.ConfigURL=file:/d:/IBM/WebSphere/Was8Nd/profiles/AppSrv01/properties/ssl.client.props
-Dcom.ibm.CORBA.ConfigURL=file:/d:/IBM/WebSphere/Was8Nd/profiles/AppSrv01/properties/sas.client.props 
-Dcom.ibm.CORBA.loginUserid=admin 
-Dcom.ibm.CORBA.loginPassword=admin 
-Dcom.ibm.CORBA.loginSource=properties
Java class to test JNDI connection and to send JMS message is available here.
On other side if you just want to behave WAS as it did in version 6.1 or 7.0 you can disable RMI SSL. This can be done via admin console by exercising "CSIv2 inbound&outbound communications" options found in Global security menu. Change Transport property from "SSL-required" to "SSL-supported" after restart you should be good to go and send JMS messages without SSL.

6 comments:

  1. Thank you! Was just about to pull my hair out.

    ReplyDelete
  2. I uѕed to be able to find good adѵice from your сontent.


    my web blog: el tarot gratis

    ReplyDelete
  3. Hello, I enjoy rеading through your artiсle.
    I wanted to wгite a lіttle cοmment to support you.


    my pagе; vοyanсе ρаr telephone
    ()

    ReplyDelete
  4. Thank you very much for this post.
    We were facing the same issue after migrating from WAS 6 to 8.
    Your blog helped us in resolving this.

    ReplyDelete
  5. Thanks much, i am facing an exception, when i went with this step :http://stackoverflow.com/questions/23568162/simple-ejb-client-or-junit-not-working-with-ibm-websphere. Can you help?

    Jugunu

    ReplyDelete
  6. For those of you who like to disable the SSL-required flag as mentioned above.
    Go to:
    Security -> Global security -> RMI/IIOP security -> CSIv2 inbound communications
    Chapter "CSIv2 Transport Layer"
    Change:
    Transport => SSL-supported (instead of SSL-required)

    Repeat for
    Security -> Global security -> RMI/IIOP security -> CSIv2 outbound communications

    Beware maybe you also need to adjust other security domains as well (as I had to):
    Security -> Security domains -> Click on -> RMI/IIOP security
    Check here if the global setting is used otherwise you may want to change the settings as done above.

    ReplyDelete