I am trying to set up a Liberty collective using Docker hosts running linux. The videos they have about setting up Liberty collectives at the moment use Windows and are all on the same machine.
To join the collective so it appears on adminCenter isn't too hard it is just a matter of collective join --host=...
The problem is the administration part i.e. changing the configuration file or stopping and starting the servers is not working.
I tried various ways of passing in hostInfo in server.xml or --sshPrivateKey Hard coding root passwords and none of them work.
According to the instructions all you needed was an openssh-server which I have already enabled and running I have already exposed the ports and verify I can connect to them using a certificate from the controller container as well.
In addition based on the REST API it uses a stringified SSH Private Key itself rather than a file and that should be sent through the collective registerHost but it does not appear to work and there is nothing in the command line logs even with .level=ALL and ...consolelogger...=ALL that show what the hostAuthInfo is.
The one of the commands I ran for collective join is
collective join defaultServer \
--host=controller \
--port=9443 \
--user=adminUser \
--password=adminPassword \
--autoAcceptCertificates \
--rpcUser=root \
--sshPrivateKey=$HOME/.ssh/id_rsa \
--keystorePassword=$PASSWORD \
--createConfigFile=/config/collective-join-include.xml
I say one of because I tried various combinations where I removed or changed --rpcuser, --sshPrivateKey and other authInfo related items.
server.xml of member is at this point ...
<?xml version="1.0" encoding="UTF-8"?>
<server description="Application Server">
<featureManager>
<feature>javaee-7.0</feature>
<feature>clusterMember-1.0</feature>
<!--<feature>scalingMember-1.0</feature>-->
</featureManager>
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
<httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9443" host="*"/>
<!--<hostSingleton name="ScalingMemberSingletonService" port="5164" />-->
<applicationManager autoExpand="true"/>
<!--<hostAuthInfo rpcUser="root" sshPublicKeyPath="/root/.ssh/id_rsa.pub" sshPrivateKeyPath="/root/.ssh/id_rsa"/>-->
<include location="${server.config.dir}/collective-join-include.xml"/>
<dataSource id="myds" jndiName="jdbc/sample" type="javax.sql.XADataSource">
<jdbcDriver javax.sql.ConnectionPoolDataSource="org.mariadb.jdbc.MariaDbDataSource" javax.sql.DataSource="org.mariadb.jdbc.MariaDbDataSource" javax.sql.XADataSource="org.mariadb.jdbc.MariaDbDataSource">
<library>
<file name="${server.config.dir}/mariadb-java-client-1.5.9.jar"/>
</library>
</jdbcDriver>
<properties databaseName="jeesample" password="password" serverName="database" user="jeeuser"/>
</dataSource>
<basicRegistry id="basic" realm="BasicRealm">
<user name="websphere" password="{xor}KDo9LC83Oi06"/>
</basicRegistry>
<ejbContainer>
<timerService>
<persistentExecutor taskStoreRef="mystore"/>
</timerService>
</ejbContainer>
<databaseStore dataSourceRef="myds" id="mystore"/>
</server>
Controller side
<?xml version="1.0" encoding="UTF-8"?>
<server description="Collective Controller">
<variable name="defaultHostName" value="controller"/>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443"/>
<featureManager>
<!--<feature>scalingController-1.0</feature>-->
<feature>adminCenter-1.0</feature>
<feature>dynamicRouting-1.0</feature>
</featureManager>
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
<!--<scalingDefinitions>
<defaultScalingPolicy enabled="true" min="2" max="2"/>
</scalingDefinitions>-->
<include location="${server.config.dir}/resources/collective/collective-create-include.xml"/>
<collectiveController user="adminUser" password="adminPassword"/>
</server>
By default, when ssh is properly configured and running on the linux machines (controller's and member's host machine), you only need to run the 'collective join' command from the member's wlp/bin dir. You should not need to specify hostInfo nor --sshPrivateKey via server.xml nor the collective updateHost/registHost commands. This flow will use the ssh keys generated by the collective.
The useHostCredentials flag is generally meant to be used with rpcUser and rpcUserPassword (provided via registerHost, updateHost, or server.xml) instead of ssh, especially useful for systems that do not have ssh configured (like windows by default). However, it can also be used to specify custom ssh keys.
If you're still having trouble, provide the collective join command that was ran from the member's wlp/bin, as well as the server.xml of the controller and member.
Related
I'm following the Containerizing, packaging, and running a Spring Boot application guide. After getting it to run, I want to use my own Spring Boot application. So I took my jar, put it into the target directory and updated the server.xml file accordingly:
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<featureManager>
<feature>servlet-4.0</feature>
<feature>springBoot-2.0</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
<springBootApplication id="guide-spring-boot"
location="myOwnApp.jar"
name="guide-spring-boot" />
<!--springBootApplication id="guide-spring-boot"
location="thin-guide-spring-boot-0.1.0.jar"
name="guide-spring-boot" /-->
</server>
Alas, after restarting the Open Liberty server this configuration seems to be totally ignored and my application is not started.
I´ve got an app that works perfectly if I deploy it (in my local) into WAS. However, I´m getting the following exception connecting to CICS services if if deploy it into Liberty Profile (WebSphere Application Server 8.5.5.8/wlp-1.0.11.cl50820151201-1942) in IBM J9 VM, version pwa6470_27sr2fp10-20141218_02 (SR2 FP10)
:
com.ibm.connector2.cics.CICSUserInputException#a71e6144
[invalidProperties=<null>,errorCode=<null>,linkedException=<null>,
detailMessage=CTG9628E InteractionSpec passed to execute() not of type ECIInteractionSpec,
cause=com.ibm.connector2.cics.CICSUserInputException#a71e6144,stackTrace=<null>,
suppressedExceptions=[]]
However the IteractionSpec IS an instance of ECIInteractionSpec:
This is my server.xml, for what is worth:
<server description="new server">
<featureManager>
<feature>jsp-2.2</feature>
<feature>jpa-2.0</feature>
<feature>jaxrs-1.1</feature>
<feature>cdi-1.0</feature>
<feature>beanValidation-1.0</feature>
<feature>ejbLite-3.1</feature>
<feature>json-1.0</feature>
<feature>apiDiscovery-1.0</feature>
<feature>managedBeans-1.0</feature>
<feature>jca-1.6</feature>
<feature>jndi-1.0</feature>
<feature>javaMail-1.5</feature>
<feature>jaxws-2.2</feature>
<feature>localConnector-1.0</feature>
<feature>jms-1.1</feature>
<feature>servlet-3.1</feature>
</featureManager>
<variable name="SHARED_LIB_ROOT" value="C:\IBM\\IBM\liberty_jars"/>
<variable name="SHARED_LIB_CONFLU" value="C:\IBM\SHARED_LIB"/>
<resourceAdapter autoStart="true" id="eciResourceAdapter" location="${SHARED_LIB_CONFLU}/cicseci-9.1.rar">
<classloader apiTypeVisibility="spec, ibm-api, third-party"/>
</resourceAdapter>
<library apiTypeVisibility="spec, ibm-api, third-party" id="gneislibrary">
<folder dir="${SHARED_LIB_CONFLU}"/>
</library>
<!-- drivers lib -->
<!-- ORACLE -->
<library id="oracle-lib">
<fileset dir="${SHARED_LIB_ROOT}\drivers\oracle" includes="oracle-ojdbc6-11.2.0.3.0.jar"/>
</library>
<!-- DB2 -->
<library id="db2-lib">
<fileset dir="${SHARED_LIB_ROOT}\drivers\db2" includes="db2jcc.jar db2jcc_license_cisuz.jar"/>
</library>
<!-- To access this server from a remote client add a host attribute to
the following element, e.g. host="*" -->
<httpEndpoint httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<applicationMonitor updateTrigger="mbean"/>
<connectionFactory id="eciTest" jndiName="eis/CICSPWAS">
<properties.eciResourceAdapter TPNName="SCTG" connectionUrl="my_hostname" portNumber="my_port_number" tracelevel="3" userName="my_user_name"/>
</connectionFactory>
<!-- external libs -->
<library id="external-lib">
<fileset dir="${SHARED_LIB_ROOT}\external-lib" includes="*"/>
<folder dir="${SHARED_LIB_ROOT}\external-lib"/>
</library>
<quickStartSecurity userName="wasadmin" userPassword="123456"/>
<webApplication contextRoot="/myapp" id="oauth" location="myapp.war" name="myapp">
<classloader apiTypeVisibility="spec, ibm-api, third-party" classProviderRef="eciResourceAdapter" commonLibraryRef="gneislibrary" delegation="parentFirst"/>
</webApplication>
<keyStore location="${server.output.dir}/resources/security/key.jks"></keyStore>
</server>
The "CTG9628E InteractionSpec passed to execute() not of type ECIInteractionSpec" message is issued when the CICS TG RAR code checks whether the Interaction Spec passed an instance of the expected ECIInteractionSpec from application. This suggests that the application is not passing the expected ECIInteractionSpec. One possibility could be CICS TG RAR file used for compiling the application is different from version of CICS TG RAR files defined the WebSphere Liberty server profile.
Can you try downloading latest version of CICS TG RAR file from:
https://developer.ibm.com/cics/2016/03/11/cics-tg-sdks
Copy (after extracting) the CICS TG RAR file from /cicstgsdk/api/jee/runtime/managed/cicseci.rar to your application and recompile the application. Also use the same CICS TG RAR in your liberty profile and verify the scenario.
I fixed it. Thanks a lot guys for your help. The project got included transitive dependencies to very old versions of cicseci library. I excluded them. I don´t understand yet why it works perfectly on WAS and it fails in WLP.
I am new to WebSphere Liberty profile. I am working on 17.0.0.4 version. What I am trying to achieve is to have custom JAAS login setup for the application. The application works fine on WebSphere 8.5.
I have reviewed so many link from IBM Knowledge Center for the same, but got result with either or with JAAS custom login, but not both of them together. With WebSphere 8.5 we are having level of hierarchy to decide which authentication mechanism goes where, but with Liberty if I setup Custom JAAS authentication mechanism then I can't login to WebSphere Liberty AdminCenter, and if I configure server.xml for , then it does not authenticate my application's user (because it is designed to get authenticate users via JAAS).
Here is my server.xml file.
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>adminCenter-1.0</feature>
<feature>ssl-1.0</feature>
<feature>webProfile-7.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="WASLiberty" />
<!-- Admin Center username/password -->
<!--<quickStartSecurity userName="admin" userPassword="admin123" />-->
<!-- Define an Administrator and non-Administrator -->
<basicRegistry id="basic">
<user name="admin" password="{xor}PjsyNjFubWw=" /> <!-- Encoded version of "admin123" -->
<user name="nonadmin" password="nonadmin123" />
</basicRegistry>
<!-- Assign 'admin' to Administrator -->
<administrator-role>
<user>admin</user>
</administrator-role>
<!-- JNDI Connection configuration -->
<dataSource id="MY_CUSTOM_DS" jndiName="jdbc/MY_CUSTOM_DS">
<jdbcDriver libraryRef="sqlserverjdbc"/>
<properties.microsoft.sqlserver databaseName="mydb"
serverName="localhost" portNumber="1433"
user="sa" password="root" />
</dataSource>
<!-- JDBC Driver file location -->
<library id="sqlserverjdbc">
<file name="${wlp.install.dir}/lib/sqljdbc4.jar"/>
</library>
<library id="MyLoginModuleLib">
<fileset dir="${wlp.install.dir}/lib" includes="custom_auth.jar"/>
</library>
<!-- JAAS Login Module for web application -->
<jaasLoginModule id="myCustom"
className="com.kana.auth.websphere.MyLoginModule"
controlFlag="REQUIRED" libraryRef="MyLoginModuleLib">
<options myOption1="value1" myOption2="value2"/>
</jaasLoginModule>
<!-- JAAS Login Context -->
<jaasLoginContextEntry id="system.WEB_INBOUND" name="system.WEB_INBOUND"
loginModuleRef="myCustom, hashtable, userNameAndPassword, certificate, token" />
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
<webApplication contextRoot="mywebapp" location="mywebapp.war" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<!-- Enable remote file access -->
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
</server>
Can anyone please point out where I am making mistake?
If you are using custom JAAS login module, then your custom JAAS login module need to ignore the admin center authentication and let the default login modules handle it.
The better option is to use custom TAI to handle application authentication and let the default login modules handle the admin center authentication.
Regards,
Ut Le
Many many thanks Ut Le for providing solution.
From the log file, found that the root cause was ClassNotFound exception. It does not have class which I was pointing to from <jaasLoginModule>. Later on found that I was pointing to jar file which is not at that location. So that was a silly mistake I made for configuration.
I want to know because page of deploy tool in my local installation of admin center is blocked (I've installed WAS Liberty in my PC)
I get this message:
Cannot access host or deploy rules information on the server
This is my server.xml
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>javaee-7.0</feature>
<feature>localConnector-1.0</feature>
<feature>adminCenter-1.0</feature>
<feature>collectiveController-1.0</feature>
<feature>collectiveMember-1.0</feature>
</featureManager>
<!-- This template enables security. To get the full use of all the capabilities, a keystore and user registry are required. -->
<!-- For the keystore, default keys are generated and stored in a keystore. To provide the keystore password, generate an
encoded password using bin/securityUtility encode and add it below in the password attribute of the keyStore element.
Then uncomment the keyStore element. -->
<!--
<keyStore password=""/>
-->
<!--For a user registry configuration, configure your user registry. For example, configure a basic user registry using the
basicRegistry element. Specify your own user name below in the name attribute of the user element. For the password,
generate an encoded password using bin/securityUtility encode and add it in the password attribute of the user element.
Then uncomment the user element. -->
<basicRegistry id="basic" realm="BasicRealm">
<!-- <user name="yourUserName" password="" /> -->
<user name="admin" password="adminpwd"/>
</basicRegistry>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint httpPort="9080" httpsPort="9444" id="defaultHttpEndpoint"/>
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<keyStore location="${server.output.dir}/resources/security/liberty.jks" password="adminadmin"/>
<administrator-role>
<user>admin</user>
</administrator-role>
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
<applicationMonitor updateTrigger="mbean"/>
<webApplication id="prueba" location="prueba.war" name="prueba"/>
</server>
Thanks for your help.
Hard to be sure from the information provided, but my guess is that you manually added the collectiveController-1.0 feature, but didn't actually create the collective (which you would by running the 'collective create {serverName}' command from wlp/bin. Since the deploy tool is only applicable on a collective controller, if it's not configured properly it will not work.
You can find detailed instructions for creating a collective here: https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/tagt_wlp_configure_collective.html
I am trying to map my server public ip addresss in Websphere LP server.xml file but when i tried to access it from outside i am getting a connection error. I tried giving host="localhost" and tried to access from server itself,it is working fine.
Is there anything i need to configure in Websphere LP to access it from outside.
Server.xml file
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>jsp-2.2</feature>
<feature>localConnector-1.0</feature>
</featureManager>
<httpEndpoint host="*" httpPort="8007" httpsPort="9443" id="defaultHttpEndpoint"/>
<applicationMonitor updateTrigger="mbean"/>
<library id="worklight-6.0.0">
<fileset dir="C:\IBM\Liberty\usr\shared\resources" includes="worklight-jee-library-6.0.0.jar"/>
</library>
<library id="apps-common">
<fileset dir="C:\IBM\Liberty\usr\shared\resources" includes="org.hsqldb.hsqldb_2.2.5.jar"/>
</library>
<application context-root="/DemoApp" id="DemoApplication" location="DemoApplication.war" name="DemoApplication" type="war">
<classloader commonLibraryRef="worklight-6.0.0,apps-common"/>
</application>
</server>
Any help is appreciated.
As per the InfoCenter document for the httpEndpoint configuration element, here: http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.wlp.doc/autodita/rwlp_metatype_4ic.html?resultof=%22%68%74%74%70%65%6e%64%70%6f%69%6e%74%22%20#mtFile121
A hostname of * will bind to all available network interfaces - you do not need to do anything extra on the Liberty side, which I believe answers your question.
Setting the hostname to 'localhost' will mean the http endpoint is only accessible from your machine.
Using the configuration as supplied (hostName of *), this should work remotely - so it is likely a firewall issue.
You can check the /servers/yourServer/logs/messages.log file to verify which interfaces your endpoint is binding to - look for a message of the form
WWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host localhost (IPv4: 127.0.0.1) port 9080.