[JIRA] (JENKINS-39182) Test Connection Fails after providing valid certificate to WAS 7 admin console

tmuse@harborfreight.com (JIRA)

unread,

Oct 21, 2016, 1:36:02 PM10/21/16

to jenkinsc...@googlegroups.com

Tim Muse updated an issue

Jenkins /

JENKINS-39182

Test Connection Fails after providing valid certificate to WAS 7 admin console

Change By:	Tim Muse
Issue Type:	New Feature Bug

Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

tmuse@harborfreight.com (JIRA)

unread,

Oct 21, 2016, 1:36:03 PM10/21/16

to jenkinsc...@googlegroups.com

Tim Muse created an issue

Jenkins /

JENKINS-39182

Test Connection Fails after providing valid certificate to WAS 7 admin console

Issue Type:	New Feature
Assignee:	Greg Peters
Components:	websphere-deployer-plugin
Created:	2016/Oct/21 5:35 PM
Environment:	Websphere 7.0.0.44 Network Deployment Installation Jenkins 2.17 WebSphere Deployer Plugin 1.4.0
Priority:	Major
Reporter:	Tim Muse

I've successfully been able to deploy to WAS with self-assigned certificates, but that involved 3 steps:
Copying the dummyclientkey.jks and dummyclienttrust.jks files to the jenkins server and specifying them in the configuration along with exporting the certificate from Chrome when opening the webconsole, adding it to a cacerts keyfile, and restarting jenkins (as jenkins loads the cacerts file upon startup).

I'm now however looking to try and give my WAS installation an Internal cert, and upon doing so, the Deployer Plugin breaks. Test connection comes up with the following:

 
                                                                Connection failed: com.ibm.websphere.management.exception.ConnectorException: ADMC0016E: The system cannot create a SOAP connector to connect to host calws7timdev01.harborfreight.com at port 8879.
at com.ibm.websphere.management.AdminClientFactory.createAdminClientPrivileged(AdminClientFactory.java:634)
at com.ibm.websphere.management.AdminClientFactory.access$000(AdminClientFactory.java:125)
at com.ibm.websphere.management.AdminClientFactory$1.run(AdminClientFactory.java:208)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:63)
at com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:204)
at org.jenkinsci.plugins.websphere.services.deployment.WebSphereDeploymentService.connect(WebSphereDeploymentService.java:449)
at org.jenkinsci.plugins.websphere_deployer.WebSphereDeployerPlugin$DescriptorImpl.doTestConnection(WebSphereDeployerPlugin.java:465)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:324)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:167)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:100)
at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:124)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:233)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:233)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:233)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135)
at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:249)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
at javax.servlet.FilterChain$doFilter.call(Unknown Source)
at com.ceilfors.jenkins.plugins.jiratrigger.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.groovy:22)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:126)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:80)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at com.ibm.websphere.management.AdminClientFactory.createAdminClientPrivileged(AdminClientFactory.java:456)
... 89 more
Caused by: com.ibm.websphere.management.exception.ConnectorNotAvailableException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:422)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.<init>(SOAPConnectorClient.java:222)
... 94 more
Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at org.apache.soap.transport.http.SOAPHTTPConnection.send(SOAPHTTPConnection.java:475)
at org.apache.soap.rpc.Call.WASinvoke(Call.java:451)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient$4.run(SOAPConnectorClient.java:372)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:365)
... 95 more
 
                                                            

However, running tests using a java class called SSLPoke (found at https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html), I'm able to connect successfully:

(SOAP port)

 
                                                                java -Djavax.net.ssl.trustStore=cacerts SSLPoke websphere7ndhost 8879
Successfully connected

(HTTPS port)

 
                                                                java -Djavax.net.ssl.trustStore=cacerts SSLPoke websphere7ndhost 9043
Successfully connected

cacerts has both the new internal-signed SSL cert and the Internal CA.

Thoughts? Recommendations?

Add Comment

tmuse@harborfreight.com (JIRA)

unread,

Oct 21, 2016, 1:38:02 PM10/21/16

to jenkinsc...@googlegroups.com

Tim Muse updated an issue

Jenkins /

JENKINS-39182

Test Connection Fails after providing valid certificate to WAS 7 admin console

Change By:	Tim Muse

I've successfully been able to deploy to WAS with self-assigned certificates, but that involved 3 steps:
Copying the dummyclientkey.jks and dummyclienttrust.jks files to the jenkins server and specifying them in the configuration along with exporting the certificate from Chrome when opening the webconsole, adding it to a cacerts keyfile, and restarting jenkins (as jenkins loads the cacerts file upon startup).

I'm now however looking to try and give my WAS installation an Internal cert, and upon doing so, the Deployer Plugin breaks. Test connection comes up with the following:

{code:java}
Connection failed: com.ibm.websphere.management.exception.ConnectorException: ADMC0016E: The system cannot create a SOAP connector to connect to host calws7timdev01.harborfreight.com websphere7ndhost at port 8879.

{code}

However, running tests using a java class called SSLPoke (found at https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html), I'm able to connect successfully:

(SOAP port)

{code:java}

java -Djavax.net.ssl.trustStore=cacerts SSLPoke websphere7ndhost 8879
Successfully connected

{code}

(HTTPS port)

{code:java}

java -Djavax.net.ssl.trustStore=cacerts SSLPoke websphere7ndhost 9043
Successfully connected

{code}

cacerts has both the new internal-signed SSL cert and the Internal CA.

Thoughts? Recommendations?

Add Comment

gregpeters00@gmail.com (JIRA)

unread,

Nov 18, 2016, 7:31:01 PM11/18/16

to jenkinsc...@googlegroups.com

Greg Peters commented on

JENKINS-39182

Re: Test Connection Fails after providing valid certificate to WAS 7 admin console

Tim Muse

I'm wondering if this is a SSLv3 vs TLS issue. Can you check to see if the default cert you're using in WAS is SSL and the signed cert your trying to using is TLS?

-GP