I have added restConnector-2.0 feature in Liberty 19.0.0.11.
I changed configuration in server.xml file like below,
<basicRegistry id="bas" relam="BasicRealm">
<user name="kin" password="password"/>
<group name="admin">
<member name="kin"></member>
</group>
</basicRegistry>
<administrator-role>
<user>jayaramu</user>
<group>admin</group>
</administrator-role>
Then I ran the application server and try to validate database connection using below URL,
https://localhost:9443/ibm/api/validation/dataSource/database
It return CWWKO0801E: Unable to initialize SSL connection error in console. 403 error in browser.
Related
I've a SpringBoot App with a local configuration to connect and listen a local Queue
ibm:
mq:
queueManager: LOCAL_QM
channel: DEV.ADMIN.SVRCONN
connName: localhost(1414)
user: admin
password: passw0rd
user-authentication-m-q-c-s-p: false
When a I deploy the app with Gitlab CI some properties are overrided (with a war_name.xml file in ../tomcat/current/conf/Catalina/localhost/) like database connection properties and mq connection properties to listen a Developpement or Qualification environment queue.
But when the app start the database connection is OK but not the MQ connection (The app use the local connection properties defined in the application.yml file)
When I check the xml file on the remote server, the properties are override.
And when I use a tool like spring actuator, I have the right properties override with the specific env properties.
But in the logs: /tomcat/current/logs/catalina.out I can read that the app try to connect to the local queue manage : LOCAL_QM not the specific environment queue.
2021-05-11 12:19:23.484 ERROR 14483 --- [ntContainer#0-1] o.s.j.l.DefaultMessageListenerContainer : Could not refresh JMS Connection for destination '***' - retrying using FixedBackOff{interval=5000, currentAttempts=16093, maxAttempts=unlimited}. Cause: JMSWMQ0018: Failed to connect to queue manager 'LOCAL_QM' with connection mode 'Client' and host name 'localhost(1414)'.; nested exception is com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2538' ('MQRC_HOST_NOT_AVAILABLE')
The properties are in the same xml file, it works for the database "spring.datasource" but not for MQ "ibm.mq"
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Environment name="spring.datasource.url" value="jdbc:postgresql://***:5432/**" type="java.lang.String"/>
<Environment name="spring.datasource.username" value="****" type="java.lang.String"/>
<Environment name="spring.datasource.password" value="****" type="java.lang.String"/>
<Environment name="ibm.mq.queueManager" value="***" type="java.lang.String"/>
<Environment name="ibm.mq.channel" value="***" type="java.lang.String"/>
<Environment name="ibm.mq.connName" value="***" type="java.lang.String"/>
<Environment name="ibm.mq.user" value="***" type="java.lang.String"/>
<Environment name="ibm.mq.password" value="" type="java.lang.String"/>
</Context>
Any idea why the properties are not overrided ?
Thanks
This started out as a comment, but as I wrote it I suspected that you are missing the relevant ibm.mq properties. If you don't provide the following properties:
ibm.mq.queueManager
ibm.mq.channel
ibm.mq.connName
ibm.mq.user
ibm.mq.password
then they default to
ibm.mq.queueManager=QM1
ibm.mq.channel=DEV.ADMIN.SVRCONN
ibm.mq.connName=localhost(1414)
ibm.mq.user=admin
ibm.mq.password=passw0rd
ie. localhost.
The mq-jms-spring-boot-starter makes use of
import org.springframework.boot.context.properties.ConfigurationProperties;
#ConfigurationProperties(prefix = "ibm.mq")
to read the connection properties. In this module https://github.com/ibm-messaging/mq-jms-spring/blob/master/mq-jms-spring-boot-starter/src/main/java/com/ibm/mq/spring/boot/MQConfigurationProperties.java
So it relies on spring to make the properties prefixed with ibm.mq available to it. ie. As long as spring through #ConfigurationProperties knows how to handle the overrides it will make them available to mq-jms-spring-boot-starter.
I have a sample Java program that works. I try to put the same credentials / queue data into the MDB and I get
Caused by: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager 'QueueMgr1' with connection mode 'Client' and host name 'queuemgr1.....'.
Please check if the supplied username and password are correct on the QueueManager to which you are connecting.
This is happening in Open Liberty and WAS Liberty.
this is my config
<resourceAdapter id="mq" location="/config/wmq.jmsra.rar" />
<jmsActivationSpec id="Messaging/MessagingEJB/MessagingMDB" authDataRef="MQCredentials" maxEndpoints="1">
<properties.mq
transportType="CLIENT"
hostName="${env.MQ_HOST}"
port="${env.MQ_PORT}"
channel="${env.MQ_CHANNEL}"
queueManager="${env.MQ_QUEUE_MANAGER}"
destinationRef="NotificationQ"
destinationType="javax.jms.Queue" />
</jmsActivationSpec>
<jmsQueue id="NotificationQ" jndiName="jms/StockTrader/NotificationQueue">
<properties.mq baseQueueName="${env.MQ_QUEUE}" baseQueueManagerName="${env.MQ_QUEUE_MANAGER}" />
</jmsQueue>
I am new to WebSphere Liberty profile. I am working on 17.0.0.4 version. What I am trying to achieve is to have custom JAAS login setup for the application. The application works fine on WebSphere 8.5.
I have reviewed so many link from IBM Knowledge Center for the same, but got result with either or with JAAS custom login, but not both of them together. With WebSphere 8.5 we are having level of hierarchy to decide which authentication mechanism goes where, but with Liberty if I setup Custom JAAS authentication mechanism then I can't login to WebSphere Liberty AdminCenter, and if I configure server.xml for , then it does not authenticate my application's user (because it is designed to get authenticate users via JAAS).
Here is my server.xml file.
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>adminCenter-1.0</feature>
<feature>ssl-1.0</feature>
<feature>webProfile-7.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="WASLiberty" />
<!-- Admin Center username/password -->
<!--<quickStartSecurity userName="admin" userPassword="admin123" />-->
<!-- Define an Administrator and non-Administrator -->
<basicRegistry id="basic">
<user name="admin" password="{xor}PjsyNjFubWw=" /> <!-- Encoded version of "admin123" -->
<user name="nonadmin" password="nonadmin123" />
</basicRegistry>
<!-- Assign 'admin' to Administrator -->
<administrator-role>
<user>admin</user>
</administrator-role>
<!-- JNDI Connection configuration -->
<dataSource id="MY_CUSTOM_DS" jndiName="jdbc/MY_CUSTOM_DS">
<jdbcDriver libraryRef="sqlserverjdbc"/>
<properties.microsoft.sqlserver databaseName="mydb"
serverName="localhost" portNumber="1433"
user="sa" password="root" />
</dataSource>
<!-- JDBC Driver file location -->
<library id="sqlserverjdbc">
<file name="${wlp.install.dir}/lib/sqljdbc4.jar"/>
</library>
<library id="MyLoginModuleLib">
<fileset dir="${wlp.install.dir}/lib" includes="custom_auth.jar"/>
</library>
<!-- JAAS Login Module for web application -->
<jaasLoginModule id="myCustom"
className="com.kana.auth.websphere.MyLoginModule"
controlFlag="REQUIRED" libraryRef="MyLoginModuleLib">
<options myOption1="value1" myOption2="value2"/>
</jaasLoginModule>
<!-- JAAS Login Context -->
<jaasLoginContextEntry id="system.WEB_INBOUND" name="system.WEB_INBOUND"
loginModuleRef="myCustom, hashtable, userNameAndPassword, certificate, token" />
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
<webApplication contextRoot="mywebapp" location="mywebapp.war" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<!-- Enable remote file access -->
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
</server>
Can anyone please point out where I am making mistake?
If you are using custom JAAS login module, then your custom JAAS login module need to ignore the admin center authentication and let the default login modules handle it.
The better option is to use custom TAI to handle application authentication and let the default login modules handle the admin center authentication.
Regards,
Ut Le
Many many thanks Ut Le for providing solution.
From the log file, found that the root cause was ClassNotFound exception. It does not have class which I was pointing to from <jaasLoginModule>. Later on found that I was pointing to jar file which is not at that location. So that was a silly mistake I made for configuration.
I am trying to configure my liberty server for client certificate authentication by these steps:
http://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_sec_clientcert.html
My liberty configuration:
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
<feature>restConnector-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>monitor-1.0</feature>
<feature>jsp-2.3</feature>
<feature>adminCenter-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9081"
httpsPort="9444" />
<application id="Sample" name="Sample" type="war" location="Sample.war"/>
<keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
<keyStore id="defaultTrustStore" location="truststore.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthenticationSupported="true"/>
<webAppSecurity allowFailOverToBasicAuth="true" />
<auth-method>CLIENT-CERT</auth-method>
<basicRegistry id="basic">
<user identity="CN=Admin,O=myOrg,C=country" name="Admin" password="admin" />-->
</basicRegistry>
<administrator-role>
<user>Admin</user>
</administrator-role>
</server>
From java client I get:
CWWKX0229E: There was a problem with the user credentials provided. The server responded with code 401 and message 'Unauthorized'
I think my user mapping is wrong. Can somebody give me an example how to map client certificate with the liberty user?
Is the intent to login to web application using the certificate rather than user/password? You need to define the CLIENT-CERT in web.xml. You will have to install the certificate on your browser from where application will be accesses. Also, Liberty server will need to have the signer certificate in the trust store. You may also define certificate filter if the certificate DN name does match exactly to registry user.
Below command can be added to server.xml so that basic authentication can be use if client certificate authentication did not succeed.
You may also want to confirm that your application does work with basic authentication.
More details at:
http://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_clientcert.html
I am trying to deploy a WAR on the remote Tomcat (Remote Machine) using Jenkins deploy to container Plugin.
I have done the following configuration in tomcat-users.xml
<user username="deployer" password="deployer" roles="manager-gui,manager-script,admin" />
I have setup the proper username password and port in Jenkins deployer container plugin. The setup is working fine for the local Tomcat.
But for remote Tomcat I keep getting the following error:
Caused by: org.codehaus.cargo.container.tomcat.internal.TomcatManagerException: The username you provided is not allowed to use the text-based Tomcat Manager (error 403) at org.codehaus.cargo.container.tomcat.internal.TomcatManager.invoke(TomcatManager.java:555)
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.list(TomcatManager.java:686)
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.getStatus(TomcatManager.java:699)
at org.codehaus.cargo.container.tomcat.internal.AbstractTomcatManagerDeployer.redeploy(AbstractTomcatManagerDeployer.java:174)
... 16 more
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: http://1.203.190.5:8080/manager/text/list
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at org.codehaus.cargo.container.tomcat.internal.TomcatManager.invoke(TomcatManager.java:544) ... 19 more
This seems to be a Jenkins bug but I got around the problem by setting up following configuration in Tomcat:
Edit the file /webapps/manager/META-INF/context.xml:
Previous:
<Context antiResourceLocking="false" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
</Context>
Change this file to comment the Value:
<Context antiResourceLocking="false" privileged="true">
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
This resolved the issue.
I was facing the same issue while deploying artifact to tomcat with jenkins via container plugin,
Solution:- i have added manager-script and manager-gui in the roles of the user and provide the full access to webapps/* directory. It helps me to deploy the artifact successfully and able to view it with manager-app.
My OS : Debain 10
I solved this by editing file /opt/tomcat/conf/tomcat-users.xml and added manager-script role
<role rolename="admin-gui,manager-gui,manager-script,manager-jmx,manager-status,admin-gui"/>
<user username="admin" password="password" roles="admin-gui,manager-gui,manager-script"/>
You just need to add the jenkins IP address to the valve.
You need to update : /webapps/manager/META-INF/context.xml. Because it allows only localhost. If you know the specific hostname or IP, you can add it replacing XXX.XXX.XXX.XXX by the IP address.
It's realy important to keep the security in place.
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|XXX.XXX.XXX.XXX" />
</Context>
After that, you need to restart tomcat.
$CATALINA_HOME/bin/shutdown.sh && $CATALINA_HOME/bin/startup.sh
If nothing works simply create another user in tomcat-users.xml file with magnager-script role assigned and set this user credential to jenkins .
In tomcat-users.xml file
<tomcat-users>
<user username="deployuser" password="deployuser" roles="manager-script" />
<user username="admin" password="admin" roles="manager-gui" />
</tomcat-users>
In Tomcat 9, you don't need to add any manager-XXX roles. All you have to do is add the users and and assign the manager-gui (for GUI access) and manager-script (for access like Jenkins deployment ).
Also, make sure to edit the file /webapps/manager/META-INF/context.xml, either to comment out valve or define appropriate reg ex for allow attribute
Step 1:
We need to update : \webapps\manager\META-INF\context.xml. Bcs it allows only localhost. If you know the specific hostname or IP, you can add.
<Context antiResourceLocking="false" privileged="true" >
<!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
Step 2:
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="tomcat" roles="manager-gui, manager-script"/>
Deployment went successful.
I had the same issue. Changing the username to "admin" should do the work.