Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

WebSphere Administrative Thin Client and Secure Connection with Non-IBM JRE

30 views
Skip to first unread message

shelle...@cerner.com

unread,
Feb 23, 2009, 6:56:06 PM2/23/09
to
I'm creating a WAS administrative thin client application ([1|http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.doc/info/ae/ae/tjmx_develop.html]), which may be used to administer security-enabled WAS servers. The client app could be run on any JVM (ex: using the IBM JRE or a Sun JRE), so the code (and ideally, as much configuration as possible) will be JRE-agnostic. I've been able to test connecting to a secure WAS instance locally using the IBM JRE, but haven't had any success against a non-IBM JRE (specifically, a Sun 1.5 JRE).

Here is the setup that worked for connecting to the WAS AdminClient with the IBM (WAS 6.1) JRE -
* Included the com.ibm.ws.admin.client JAR on the classpath (specifically, com.ibm.ws.admin.client_6.1.0.jar from /runtimes)
* Included the com.ibm.ws.security.crypto JAR on the classpath (specifically, com.ibm.ws.security.crypto_6.1.0.jar from /plugins)
* Copied local version of / /etc/DummyClientKeyFile.jks to /etc/DummyClientKeyFile.jks
* Copied local version of / /etc/DummyClientTrustFile.jks to /etc/DummyClientTrustFile.jks
* Basic connection logic -
{code}
final Properties clientProps = new Properties();
clientProps.setProperty(AdminClient.CONNECTOR_TYPE, AdminClient.CONNECTOR_TYPE_SOAP);
clientProps.setProperty(AdminClient.CONNECTOR_HOST, host);
clientProps.setProperty(AdminClient.CONNECTOR_PORT, port);
clientProps.setProperty(AdminClient.CONNECTOR_SECURITY_ENABLED, "true");
clientProps.setProperty(AdminClient.USERNAME, user);
clientProps.setProperty(AdminClient.PASSWORD, password);
clientProps.setProperty("javax.net.ssl.trustStore", new File("etc/DummyClientKeyFile.jks").getAbsolutePath());
clientProps.setProperty("javax.net.ssl.keyStore", new File("etc/DummyClientTrustFile.jks").getAbsolutePath());
clientProps.setProperty("javax.net.ssl.trustStorePassword", "WebAS");
clientProps.setProperty("javax.net.ssl.keyStorePassword", "WebAS");
final AdminClient adminClient = AdminClientFactory.createAdminClient(clientProps);
{code}
This loosely follows the documentation from the WAS InfoCenter ([2|http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.doc/info/ae/ae/txml_adminclient.html],[3|http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.javadoc.doc/public_html/api/com/ibm/websphere/management/AdminClient.html]) (it seems that fewer configuration files were actually needed).

When attempting to run the admin client with a non-IBM JRE (Sun 1.5 JRE), I've tried various different configuration files and options, which all result in the same stack trace:
{code}
Exception in thread "main" . . .
Caused by: com.ibm.websphere.management.exception.ConnectorException: ADMC0053E: The system cannot create a SOAP connector to connect to host localhost at port 8880 with SOAP connector security enabled.
at com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:486)
. . .
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
at com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:341)
... 2 more
Caused by: com.ibm.websphere.management.exception.ConnectorNotAvailableException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.lang.NullPointerException; targetException=java.lang.IllegalArgumentException: Error opening socket: java.lang.NullPointerException]
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:344)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.(SOAPConnectorClient.java:177)
... 7 more
Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.lang.NullPointerException; targetException=java.lang.IllegalArgumentException: Error opening socket: java.lang.NullPointerException]
at org.apache.soap.transport.http.SOAPHTTPConnection.send(Unknown Source)
at org.apache.soap.rpc.Call.invoke(Unknown Source)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient$4.run(SOAPConnectorClient.java:317)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:302)
... 8 more
{code}

I've updated the various SSL configuration settings in the ssl.client.props file (com.ibm.SSL.ConfigURL), similar to the description in the WAS 7.0 documentation ([4|http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tcli_ejbthinclient.html]), and have tried generating a new keystore and truststore. Are there any recommendations for how to connect to WAS using a non-IBM JRE? Has anyone successfully done this?

[1] http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.doc/info/ae/ae/tjmx_develop.html
[2] http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.doc/info/ae/ae/txml_adminclient.html
[3] http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.javadoc.doc/public_html/api/com/ibm/websphere/management/AdminClient.html
[4] http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tcli_ejbthinclient.html

Brian S Paskin

unread,
Feb 23, 2009, 11:33:13 PM2/23/09
to
Hi, there are a bunch of jar files that are needed for the connection to happen. It appears that you may be missing one or more.

Regards,
Brian

shelle...@cerner.com

unread,
Feb 24, 2009, 11:25:24 AM2/24/09
to
Thanks. Is there any documentation describing what additional JARs are needed? (The administrative thin client documentation [1] indicates that only the admin client JAR and security crypto JAR should be needed.)

[1] http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/txml_adminclient.html

a....@science-computing.de

unread,
Feb 25, 2009, 2:30:45 PM2/25/09
to
Hi!

Have you already looked at
Link: http://www-03.ibm.com/servers/eserver/zseries/software/java/jsse.html#using

There is a tiny difference in JSSE between Sun Java and IBM Java, which however
does make a difference if one tries to connect to the IBM Java remotely with SSL turned on.

There were a lot of discussions on Sun Forums on how to bind IBM JSSE into Sun JVM properly
and in a compatible way.

Cheers!

0 new messages