I want to know because page of deploy tool in my local installation of admin center is blocked (I've installed WAS Liberty in my PC)
I get this message:
Cannot access host or deploy rules information on the server
This is my server.xml
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>javaee-7.0</feature>
<feature>localConnector-1.0</feature>
<feature>adminCenter-1.0</feature>
<feature>collectiveController-1.0</feature>
<feature>collectiveMember-1.0</feature>
</featureManager>
<!-- This template enables security. To get the full use of all the capabilities, a keystore and user registry are required. -->
<!-- For the keystore, default keys are generated and stored in a keystore. To provide the keystore password, generate an
encoded password using bin/securityUtility encode and add it below in the password attribute of the keyStore element.
Then uncomment the keyStore element. -->
<!--
<keyStore password=""/>
-->
<!--For a user registry configuration, configure your user registry. For example, configure a basic user registry using the
basicRegistry element. Specify your own user name below in the name attribute of the user element. For the password,
generate an encoded password using bin/securityUtility encode and add it in the password attribute of the user element.
Then uncomment the user element. -->
<basicRegistry id="basic" realm="BasicRealm">
<!-- <user name="yourUserName" password="" /> -->
<user name="admin" password="adminpwd"/>
</basicRegistry>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint httpPort="9080" httpsPort="9444" id="defaultHttpEndpoint"/>
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<keyStore location="${server.output.dir}/resources/security/liberty.jks" password="adminadmin"/>
<administrator-role>
<user>admin</user>
</administrator-role>
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
<applicationMonitor updateTrigger="mbean"/>
<webApplication id="prueba" location="prueba.war" name="prueba"/>
</server>
Thanks for your help.
Hard to be sure from the information provided, but my guess is that you manually added the collectiveController-1.0 feature, but didn't actually create the collective (which you would by running the 'collective create {serverName}' command from wlp/bin. Since the deploy tool is only applicable on a collective controller, if it's not configured properly it will not work.
You can find detailed instructions for creating a collective here: https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/tagt_wlp_configure_collective.html
Related
I´ve got an app that works perfectly if I deploy it (in my local) into WAS. However, I´m getting the following exception connecting to CICS services if if deploy it into Liberty Profile (WebSphere Application Server 8.5.5.8/wlp-1.0.11.cl50820151201-1942) in IBM J9 VM, version pwa6470_27sr2fp10-20141218_02 (SR2 FP10)
:
com.ibm.connector2.cics.CICSUserInputException#a71e6144
[invalidProperties=<null>,errorCode=<null>,linkedException=<null>,
detailMessage=CTG9628E InteractionSpec passed to execute() not of type ECIInteractionSpec,
cause=com.ibm.connector2.cics.CICSUserInputException#a71e6144,stackTrace=<null>,
suppressedExceptions=[]]
However the IteractionSpec IS an instance of ECIInteractionSpec:
This is my server.xml, for what is worth:
<server description="new server">
<featureManager>
<feature>jsp-2.2</feature>
<feature>jpa-2.0</feature>
<feature>jaxrs-1.1</feature>
<feature>cdi-1.0</feature>
<feature>beanValidation-1.0</feature>
<feature>ejbLite-3.1</feature>
<feature>json-1.0</feature>
<feature>apiDiscovery-1.0</feature>
<feature>managedBeans-1.0</feature>
<feature>jca-1.6</feature>
<feature>jndi-1.0</feature>
<feature>javaMail-1.5</feature>
<feature>jaxws-2.2</feature>
<feature>localConnector-1.0</feature>
<feature>jms-1.1</feature>
<feature>servlet-3.1</feature>
</featureManager>
<variable name="SHARED_LIB_ROOT" value="C:\IBM\\IBM\liberty_jars"/>
<variable name="SHARED_LIB_CONFLU" value="C:\IBM\SHARED_LIB"/>
<resourceAdapter autoStart="true" id="eciResourceAdapter" location="${SHARED_LIB_CONFLU}/cicseci-9.1.rar">
<classloader apiTypeVisibility="spec, ibm-api, third-party"/>
</resourceAdapter>
<library apiTypeVisibility="spec, ibm-api, third-party" id="gneislibrary">
<folder dir="${SHARED_LIB_CONFLU}"/>
</library>
<!-- drivers lib -->
<!-- ORACLE -->
<library id="oracle-lib">
<fileset dir="${SHARED_LIB_ROOT}\drivers\oracle" includes="oracle-ojdbc6-11.2.0.3.0.jar"/>
</library>
<!-- DB2 -->
<library id="db2-lib">
<fileset dir="${SHARED_LIB_ROOT}\drivers\db2" includes="db2jcc.jar db2jcc_license_cisuz.jar"/>
</library>
<!-- To access this server from a remote client add a host attribute to
the following element, e.g. host="*" -->
<httpEndpoint httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<applicationMonitor updateTrigger="mbean"/>
<connectionFactory id="eciTest" jndiName="eis/CICSPWAS">
<properties.eciResourceAdapter TPNName="SCTG" connectionUrl="my_hostname" portNumber="my_port_number" tracelevel="3" userName="my_user_name"/>
</connectionFactory>
<!-- external libs -->
<library id="external-lib">
<fileset dir="${SHARED_LIB_ROOT}\external-lib" includes="*"/>
<folder dir="${SHARED_LIB_ROOT}\external-lib"/>
</library>
<quickStartSecurity userName="wasadmin" userPassword="123456"/>
<webApplication contextRoot="/myapp" id="oauth" location="myapp.war" name="myapp">
<classloader apiTypeVisibility="spec, ibm-api, third-party" classProviderRef="eciResourceAdapter" commonLibraryRef="gneislibrary" delegation="parentFirst"/>
</webApplication>
<keyStore location="${server.output.dir}/resources/security/key.jks"></keyStore>
</server>
The "CTG9628E InteractionSpec passed to execute() not of type ECIInteractionSpec" message is issued when the CICS TG RAR code checks whether the Interaction Spec passed an instance of the expected ECIInteractionSpec from application. This suggests that the application is not passing the expected ECIInteractionSpec. One possibility could be CICS TG RAR file used for compiling the application is different from version of CICS TG RAR files defined the WebSphere Liberty server profile.
Can you try downloading latest version of CICS TG RAR file from:
https://developer.ibm.com/cics/2016/03/11/cics-tg-sdks
Copy (after extracting) the CICS TG RAR file from /cicstgsdk/api/jee/runtime/managed/cicseci.rar to your application and recompile the application. Also use the same CICS TG RAR in your liberty profile and verify the scenario.
I fixed it. Thanks a lot guys for your help. The project got included transitive dependencies to very old versions of cicseci library. I excluded them. I don´t understand yet why it works perfectly on WAS and it fails in WLP.
I'm writing a simple Spring-based web application and deploy it to Websphere Liberty 8.5.5.9. The deployment fails because the application start fails. The message in console.log is
[ERROR ] CWWKZ0002E: An exception occurred while starting the application userSetting.
The exception message was: com.ibm.ws.container.service.metadata.MetaDataException:
com.ibm.wsspi.adaptable.module.UnableToAdaptException:
com.ibm.ws.javaee.ddmodel.DDParser$ParseException: CWWKC2262E: The server is
unable to process the 3.1 version and the http://xmlns.jcp.org/xml/ns/javaee namespace
in the /META-INF/web-fragment.xml deployment descriptor on line 23.
The last part of the message makes now sense since I don't hav /META-INF or /WEB-INF in the Eclipse project for the application, since I'm deploying with Gradle: gradle clean build deploy.
I've tried all kinds of modifications to the project and, in desperation, I've cut it down to only have the following source code:
#SpringBootApplication
public class UserSettingApplication {
private static final LoggerUtils logger = new LoggerUtils( UserSettingApplication.class );
public static void main(String[] args) {
logger.debug( "Entering UserSettingApplication.main()" );
SpringApplication.run(UserSettingApplication.class, args);
}
}
Can you please advise me how to fix this service start-up problem?
server.xml:
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>jsp-2.2</feature>
</featureManager>
<featureManager>
<feature>adminCenter-1.0</feature>
</featureManager>
<!-- Define the host name for use by the collective.
If the host name needs to be changed, the server should be
removed from the collective and re-joined. -->
<variable name="defaultHostName" value="localhost" />
<!-- Define an Administrator and non-Administrator -->
<basicRegistry id="basic">
<user name="admin" password="********" />
<user name="nonadmin" password="***********" />
</basicRegistry>
<!-- Assign 'admin' to Administrator -->
<administrator-role>
<user>admin</user>
</administrator-role>
<keyStore id="defaultKeyStore" password="*******" />
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="false"/>
</server>
This error appears to be caused by some of your build tooling generating a web-fragment.xml with a Servlet 3.1 schema.
Currently, you have the jsp-2.2 feature enabled, which by default enables servlet-3.0.
To fix the problem, I would recommend upgrading from jsp-2.2 to jsp-2.3 (which will pull in servlet-3.1), or adding <feature>webProfile-7.0</feature> to just enable all of the Java EE 7 web profile features (servlet, JPA, bean validation, cdi, jsf, etc).
So your new server.xml could look like this:
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>jsp-2.3</feature>
<feature>adminCenter-1.0</feature>
</featureManager>
<!-- rest of file unchanged.... -->
I am new to WebSphere Liberty profile. I am working on 17.0.0.4 version. What I am trying to achieve is to have custom JAAS login setup for the application. The application works fine on WebSphere 8.5.
I have reviewed so many link from IBM Knowledge Center for the same, but got result with either or with JAAS custom login, but not both of them together. With WebSphere 8.5 we are having level of hierarchy to decide which authentication mechanism goes where, but with Liberty if I setup Custom JAAS authentication mechanism then I can't login to WebSphere Liberty AdminCenter, and if I configure server.xml for , then it does not authenticate my application's user (because it is designed to get authenticate users via JAAS).
Here is my server.xml file.
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>adminCenter-1.0</feature>
<feature>ssl-1.0</feature>
<feature>webProfile-7.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="WASLiberty" />
<!-- Admin Center username/password -->
<!--<quickStartSecurity userName="admin" userPassword="admin123" />-->
<!-- Define an Administrator and non-Administrator -->
<basicRegistry id="basic">
<user name="admin" password="{xor}PjsyNjFubWw=" /> <!-- Encoded version of "admin123" -->
<user name="nonadmin" password="nonadmin123" />
</basicRegistry>
<!-- Assign 'admin' to Administrator -->
<administrator-role>
<user>admin</user>
</administrator-role>
<!-- JNDI Connection configuration -->
<dataSource id="MY_CUSTOM_DS" jndiName="jdbc/MY_CUSTOM_DS">
<jdbcDriver libraryRef="sqlserverjdbc"/>
<properties.microsoft.sqlserver databaseName="mydb"
serverName="localhost" portNumber="1433"
user="sa" password="root" />
</dataSource>
<!-- JDBC Driver file location -->
<library id="sqlserverjdbc">
<file name="${wlp.install.dir}/lib/sqljdbc4.jar"/>
</library>
<library id="MyLoginModuleLib">
<fileset dir="${wlp.install.dir}/lib" includes="custom_auth.jar"/>
</library>
<!-- JAAS Login Module for web application -->
<jaasLoginModule id="myCustom"
className="com.kana.auth.websphere.MyLoginModule"
controlFlag="REQUIRED" libraryRef="MyLoginModuleLib">
<options myOption1="value1" myOption2="value2"/>
</jaasLoginModule>
<!-- JAAS Login Context -->
<jaasLoginContextEntry id="system.WEB_INBOUND" name="system.WEB_INBOUND"
loginModuleRef="myCustom, hashtable, userNameAndPassword, certificate, token" />
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
<webApplication contextRoot="mywebapp" location="mywebapp.war" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<!-- Enable remote file access -->
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
</server>
Can anyone please point out where I am making mistake?
If you are using custom JAAS login module, then your custom JAAS login module need to ignore the admin center authentication and let the default login modules handle it.
The better option is to use custom TAI to handle application authentication and let the default login modules handle the admin center authentication.
Regards,
Ut Le
Many many thanks Ut Le for providing solution.
From the log file, found that the root cause was ClassNotFound exception. It does not have class which I was pointing to from <jaasLoginModule>. Later on found that I was pointing to jar file which is not at that location. So that was a silly mistake I made for configuration.
I am trying to set up a Liberty collective using Docker hosts running linux. The videos they have about setting up Liberty collectives at the moment use Windows and are all on the same machine.
To join the collective so it appears on adminCenter isn't too hard it is just a matter of collective join --host=...
The problem is the administration part i.e. changing the configuration file or stopping and starting the servers is not working.
I tried various ways of passing in hostInfo in server.xml or --sshPrivateKey Hard coding root passwords and none of them work.
According to the instructions all you needed was an openssh-server which I have already enabled and running I have already exposed the ports and verify I can connect to them using a certificate from the controller container as well.
In addition based on the REST API it uses a stringified SSH Private Key itself rather than a file and that should be sent through the collective registerHost but it does not appear to work and there is nothing in the command line logs even with .level=ALL and ...consolelogger...=ALL that show what the hostAuthInfo is.
The one of the commands I ran for collective join is
collective join defaultServer \
--host=controller \
--port=9443 \
--user=adminUser \
--password=adminPassword \
--autoAcceptCertificates \
--rpcUser=root \
--sshPrivateKey=$HOME/.ssh/id_rsa \
--keystorePassword=$PASSWORD \
--createConfigFile=/config/collective-join-include.xml
I say one of because I tried various combinations where I removed or changed --rpcuser, --sshPrivateKey and other authInfo related items.
server.xml of member is at this point ...
<?xml version="1.0" encoding="UTF-8"?>
<server description="Application Server">
<featureManager>
<feature>javaee-7.0</feature>
<feature>clusterMember-1.0</feature>
<!--<feature>scalingMember-1.0</feature>-->
</featureManager>
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
<httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9443" host="*"/>
<!--<hostSingleton name="ScalingMemberSingletonService" port="5164" />-->
<applicationManager autoExpand="true"/>
<!--<hostAuthInfo rpcUser="root" sshPublicKeyPath="/root/.ssh/id_rsa.pub" sshPrivateKeyPath="/root/.ssh/id_rsa"/>-->
<include location="${server.config.dir}/collective-join-include.xml"/>
<dataSource id="myds" jndiName="jdbc/sample" type="javax.sql.XADataSource">
<jdbcDriver javax.sql.ConnectionPoolDataSource="org.mariadb.jdbc.MariaDbDataSource" javax.sql.DataSource="org.mariadb.jdbc.MariaDbDataSource" javax.sql.XADataSource="org.mariadb.jdbc.MariaDbDataSource">
<library>
<file name="${server.config.dir}/mariadb-java-client-1.5.9.jar"/>
</library>
</jdbcDriver>
<properties databaseName="jeesample" password="password" serverName="database" user="jeeuser"/>
</dataSource>
<basicRegistry id="basic" realm="BasicRealm">
<user name="websphere" password="{xor}KDo9LC83Oi06"/>
</basicRegistry>
<ejbContainer>
<timerService>
<persistentExecutor taskStoreRef="mystore"/>
</timerService>
</ejbContainer>
<databaseStore dataSourceRef="myds" id="mystore"/>
</server>
Controller side
<?xml version="1.0" encoding="UTF-8"?>
<server description="Collective Controller">
<variable name="defaultHostName" value="controller"/>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443"/>
<featureManager>
<!--<feature>scalingController-1.0</feature>-->
<feature>adminCenter-1.0</feature>
<feature>dynamicRouting-1.0</feature>
</featureManager>
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
<!--<scalingDefinitions>
<defaultScalingPolicy enabled="true" min="2" max="2"/>
</scalingDefinitions>-->
<include location="${server.config.dir}/resources/collective/collective-create-include.xml"/>
<collectiveController user="adminUser" password="adminPassword"/>
</server>
By default, when ssh is properly configured and running on the linux machines (controller's and member's host machine), you only need to run the 'collective join' command from the member's wlp/bin dir. You should not need to specify hostInfo nor --sshPrivateKey via server.xml nor the collective updateHost/registHost commands. This flow will use the ssh keys generated by the collective.
The useHostCredentials flag is generally meant to be used with rpcUser and rpcUserPassword (provided via registerHost, updateHost, or server.xml) instead of ssh, especially useful for systems that do not have ssh configured (like windows by default). However, it can also be used to specify custom ssh keys.
If you're still having trouble, provide the collective join command that was ran from the member's wlp/bin, as well as the server.xml of the controller and member.
I am trying to configure my liberty server for client certificate authentication by these steps:
http://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_sec_clientcert.html
My liberty configuration:
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
<feature>restConnector-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>monitor-1.0</feature>
<feature>jsp-2.3</feature>
<feature>adminCenter-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9081"
httpsPort="9444" />
<application id="Sample" name="Sample" type="war" location="Sample.war"/>
<keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
<keyStore id="defaultTrustStore" location="truststore.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthenticationSupported="true"/>
<webAppSecurity allowFailOverToBasicAuth="true" />
<auth-method>CLIENT-CERT</auth-method>
<basicRegistry id="basic">
<user identity="CN=Admin,O=myOrg,C=country" name="Admin" password="admin" />-->
</basicRegistry>
<administrator-role>
<user>Admin</user>
</administrator-role>
</server>
From java client I get:
CWWKX0229E: There was a problem with the user credentials provided. The server responded with code 401 and message 'Unauthorized'
I think my user mapping is wrong. Can somebody give me an example how to map client certificate with the liberty user?
Is the intent to login to web application using the certificate rather than user/password? You need to define the CLIENT-CERT in web.xml. You will have to install the certificate on your browser from where application will be accesses. Also, Liberty server will need to have the signer certificate in the trust store. You may also define certificate filter if the certificate DN name does match exactly to registry user.
Below command can be added to server.xml so that basic authentication can be use if client certificate authentication did not succeed.
You may also want to confirm that your application does work with basic authentication.
More details at:
http://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_clientcert.html