IBM Websphere Liberty Profile:How to map Public IP Address in Websphere - websphere

I am trying to map my server public ip addresss in Websphere LP server.xml file but when i tried to access it from outside i am getting a connection error. I tried giving host="localhost" and tried to access from server itself,it is working fine.
Is there anything i need to configure in Websphere LP to access it from outside.
Server.xml file
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>jsp-2.2</feature>
<feature>localConnector-1.0</feature>
</featureManager>
<httpEndpoint host="*" httpPort="8007" httpsPort="9443" id="defaultHttpEndpoint"/>
<applicationMonitor updateTrigger="mbean"/>
<library id="worklight-6.0.0">
<fileset dir="C:\IBM\Liberty\usr\shared\resources" includes="worklight-jee-library-6.0.0.jar"/>
</library>
<library id="apps-common">
<fileset dir="C:\IBM\Liberty\usr\shared\resources" includes="org.hsqldb.hsqldb_2.2.5.jar"/>
</library>
<application context-root="/DemoApp" id="DemoApplication" location="DemoApplication.war" name="DemoApplication" type="war">
<classloader commonLibraryRef="worklight-6.0.0,apps-common"/>
</application>
</server>
Any help is appreciated.

As per the InfoCenter document for the httpEndpoint configuration element, here: http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.wlp.doc/autodita/rwlp_metatype_4ic.html?resultof=%22%68%74%74%70%65%6e%64%70%6f%69%6e%74%22%20#mtFile121
A hostname of * will bind to all available network interfaces - you do not need to do anything extra on the Liberty side, which I believe answers your question.
Setting the hostname to 'localhost' will mean the http endpoint is only accessible from your machine.
Using the configuration as supplied (hostName of *), this should work remotely - so it is likely a firewall issue.
You can check the /servers/yourServer/logs/messages.log file to verify which interfaces your endpoint is binding to - look for a message of the form
WWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host localhost (IPv4: 127.0.0.1) port 9080.

Related

Websphere Liberty How to get a MDB Listener working?

I'm trying to get an MDB Listener working in Websphere Liberty v16.0.0.4 but I don't get a message in my messages.log that the application that needs to use the MDB Listener has been bound to the activation spec.
I have the following information:
QueueManager: TEST
Hostname: localhost
Default ServerConnectionChannel: BAN.TEST.T1
Portnumber: 5704
Queue Connection Factory:
JndiName: jms/dbd_pega_CNVBANQCF
Type TCF/QCF/CF: QCF
ServerConnectionChannel: BAN.TEST.T1
Queue 1:
JndiName: jms/dbd_pega_CNVBAN_ReqQ
queueName: SRV00026.201206.BAN
Queue 2:
JndiName: jms/dbd_pega_CNVBAN_RplQ
queueName: BAN.RPL.BAN
Activation Specification:
JNDI Activation Specification: eis/dbd_pega_cnvbanQAS
Name Activation Specification: dbd_pega_cnvbanQAS
The JNDI name of the Destination Queue: jms/dbd_pega_CNVBAN_ReqQ
The MDB Listener is called CnvMQIbanServices.jar and is put in the ear file called prpc_j2ee14_ws.ear.
And this is my server.xml:
<xml version="1.0" encoding="UTF-8">
<server description="server">
<featureManager>
<feature>webProfile-7.0</feature>
<feature>localConnector-1.0</feature>
<feature>jdbc-4.1</feature>
<feature>ssl-1.0</feature>
<feature>servlet-3.1</feature>
<feature>ejb-3.2</feature>
<feature>ejbLite-3.2</feature>
<feature>ejbRemote-3.2</feature>
<feature>jndi-1.0</feature>
<feature>jms-2.0</feature>
<feature>jaxws-2.2</feature>
<feature>jaxb-2.2</feature>
<feature>restConnector-2.0</feature>
<feature>wmqJmsClient-2.0</feature>
<feature>jmsMdb-3.2</feature>
</featureManager>
<applicationManager autoExpand="true"/>
<jmsQueueConnectionFactory jndiName="jms/dbd_pega_CNVBANQCF" connectionManagerRef="ConMgr6">
<properties.wmqJms
transportType="CLIENT"
hostName="localhost"
port="5704"
channel="BAN.TEST.T1"
queueManager="TEST"/>
</jmsQueueConnectionFactory>
<connectionManager id="ConMgr6" maxPoolSize="2"/>
<jmsQueue id="jms/dbd_pega_CNVBAN_ReqQ" jndiName="jms/dbd_pega_CNVBAN_ReqQ">
<properties.wmqJms
baseQueueName="SRV00026.201206.BAN"
baseQueueManagerName="TEST"/>
</jmsQueue>
<jmsQueue id="jms/dbd_pega_CNVBAN_RplQ" jndiName="jms/dbd_pega_CNVBAN_RplQ">
<properties.wmqJms
baseQueueName="BAN.RPL.BAN"
baseQueueManagerName="TEST"/>
</jmsQueue>
<jmsActivationSpec id="prpc_j2ee14_ws/CnvMQIbanServices.jar/CnvMQIbanServices_J2CMessageEndpoint">
<properties.wmqJms
transportType="CLIENT"
destinationRef="jms/dbd_pega_CNVBAN_ReqQ"
destinationType="javax.jms.Queue"
hostName="localhost"
port="5704"
channel="BAN.TEST.T1"
queueManager="TEST"/>
</jmsActivationSpec>
</server>
If I import a MDB Listener into an application in Websphere Application Server I know that I need to bound the MDB Listener.jar file to the activation spec, so in this case in bound CnvMQIbanServices.jar to eis/dbd_pega_cnvbanQAS, I'm missing this but how do I need to put this in the server.xml and am I maybe missing something else?
In order to determine if you are using the correct value for the jmsActivationSpec id, look in the messages.log file after starting your server for a warning such as the following,
com.ibm.ws.ejbcontainer.mdb.internal.MDBRuntimeImpl W CNTR4015W: The message endpoint for the {MDB_NAME} message-driven bean cannot be activated because the {ACTIVATION_SPEC_NAME} activation specification is not available. The message endpoint will not receive messages until the activation specification becomes available.
Use the value that you see for {ACTIVATION_SPEC_NAME} as the jmsActivationSpec id value.

How do you join a Liberty collective on Linux?

I am trying to set up a Liberty collective using Docker hosts running linux. The videos they have about setting up Liberty collectives at the moment use Windows and are all on the same machine.
To join the collective so it appears on adminCenter isn't too hard it is just a matter of collective join --host=...
The problem is the administration part i.e. changing the configuration file or stopping and starting the servers is not working.
I tried various ways of passing in hostInfo in server.xml or --sshPrivateKey Hard coding root passwords and none of them work.
According to the instructions all you needed was an openssh-server which I have already enabled and running I have already exposed the ports and verify I can connect to them using a certificate from the controller container as well.
In addition based on the REST API it uses a stringified SSH Private Key itself rather than a file and that should be sent through the collective registerHost but it does not appear to work and there is nothing in the command line logs even with .level=ALL and ...consolelogger...=ALL that show what the hostAuthInfo is.
The one of the commands I ran for collective join is
collective join defaultServer \
--host=controller \
--port=9443 \
--user=adminUser \
--password=adminPassword \
--autoAcceptCertificates \
--rpcUser=root \
--sshPrivateKey=$HOME/.ssh/id_rsa \
--keystorePassword=$PASSWORD \
--createConfigFile=/config/collective-join-include.xml
I say one of because I tried various combinations where I removed or changed --rpcuser, --sshPrivateKey and other authInfo related items.
server.xml of member is at this point ...
<?xml version="1.0" encoding="UTF-8"?>
<server description="Application Server">
<featureManager>
<feature>javaee-7.0</feature>
<feature>clusterMember-1.0</feature>
<!--<feature>scalingMember-1.0</feature>-->
</featureManager>
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
<httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9443" host="*"/>
<!--<hostSingleton name="ScalingMemberSingletonService" port="5164" />-->
<applicationManager autoExpand="true"/>
<!--<hostAuthInfo rpcUser="root" sshPublicKeyPath="/root/.ssh/id_rsa.pub" sshPrivateKeyPath="/root/.ssh/id_rsa"/>-->
<include location="${server.config.dir}/collective-join-include.xml"/>
<dataSource id="myds" jndiName="jdbc/sample" type="javax.sql.XADataSource">
<jdbcDriver javax.sql.ConnectionPoolDataSource="org.mariadb.jdbc.MariaDbDataSource" javax.sql.DataSource="org.mariadb.jdbc.MariaDbDataSource" javax.sql.XADataSource="org.mariadb.jdbc.MariaDbDataSource">
<library>
<file name="${server.config.dir}/mariadb-java-client-1.5.9.jar"/>
</library>
</jdbcDriver>
<properties databaseName="jeesample" password="password" serverName="database" user="jeeuser"/>
</dataSource>
<basicRegistry id="basic" realm="BasicRealm">
<user name="websphere" password="{xor}KDo9LC83Oi06"/>
</basicRegistry>
<ejbContainer>
<timerService>
<persistentExecutor taskStoreRef="mystore"/>
</timerService>
</ejbContainer>
<databaseStore dataSourceRef="myds" id="mystore"/>
</server>
Controller side
<?xml version="1.0" encoding="UTF-8"?>
<server description="Collective Controller">
<variable name="defaultHostName" value="controller"/>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443"/>
<featureManager>
<!--<feature>scalingController-1.0</feature>-->
<feature>adminCenter-1.0</feature>
<feature>dynamicRouting-1.0</feature>
</featureManager>
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
<!--<scalingDefinitions>
<defaultScalingPolicy enabled="true" min="2" max="2"/>
</scalingDefinitions>-->
<include location="${server.config.dir}/resources/collective/collective-create-include.xml"/>
<collectiveController user="adminUser" password="adminPassword"/>
</server>
By default, when ssh is properly configured and running on the linux machines (controller's and member's host machine), you only need to run the 'collective join' command from the member's wlp/bin dir. You should not need to specify hostInfo nor --sshPrivateKey via server.xml nor the collective updateHost/registHost commands. This flow will use the ssh keys generated by the collective.
The useHostCredentials flag is generally meant to be used with rpcUser and rpcUserPassword (provided via registerHost, updateHost, or server.xml) instead of ssh, especially useful for systems that do not have ssh configured (like windows by default). However, it can also be used to specify custom ssh keys.
If you're still having trouble, provide the collective join command that was ran from the member's wlp/bin, as well as the server.xml of the controller and member.

Configuring Liberty with httpProxyRedirect

I am attempting to redirect traffic on insecure port to secure port as described here:
https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.liberty.autogen.core.doc/ae/rwlp_config_httpProxyRedirect.html
Instead both ports are available and I see nothing in the logs. It's as if the httpProxyRedirect isn't being configured at all.
<?xml version="1.0" encoding="UTF-8"?>
<server description="CAST Liberty Server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
</featureManager>
<application id="app" context-root="/" type="war" location="${war.name}">
<classloader apiTypeVisibility="spec, ibm-api, api, third-party" />
</application>
<httpProxyRedirect id="defaultHttpProxyRedirect" httpPort="${http.port}" httpsPort="${https.port}" />
<keyStore id="defaultKeyStore" password="pass" />
<httpEndpoint host="*" httpPort="${http.port}" httpsPort="${https.port}" id="defaultHttpEndpoint" />
<applicationMonitor updateTrigger="mbean" />
</server>
Most likely, you are missing the security-constraints in the web.xml. This configuration tells the server which URLs need to be accessed over a secure transport and then re-directs qualifying requests from the non-secure port to the secure port. This tutorial may help: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html
Also, keep in mind that the httpProxyRedirect configuration in the server.xml is intended for redirecting when you have a proxy server in front of your application server. For example, you may have your proxy server on the main "www.ibm.com" host - listening on HTTP port 80 and HTTPS port 443. But that host may route some requests to your Liberty application server on some other host (like "app1host.internal.ibm.com") that listens on different ports (i.e. HTTP port 9080 and HTTPS port 9443). In that case, just using the security-constraints in the web.xml would attempt to redirect the client request on the Liberty server from 9080 to 9443 but on the www.ibm.com host - where nothing is listening on those ports. In this case, you should configure httpProxyRedirect like this:
<httpProxyRedirect httpPort="80" httpsPort="443" host="www.ibm.com" />
With the configuration, a client HTTP request to a secured URL will get redirected to www.ibm.com on port 443, where the proxy server will forward the request to app1host.internal.ibm.com port 9443.
Hope this helps,
Andy
This is the security constraint that i am using in my web.xml and it works well for both Tomcat and IBM Websphere 8.5.5.15:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Note: make sure that you put it after your <servlet-mapping>.

Unable to use JCA CICS resource with IBM WebSphere Application Server Liberty Profile

I'm trying to setup WLP for an existing EAR application.
This setup works fine with WAS 9 traditional.
The problem is the JCA CICS Resource Adapter call.
The server.xml :
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>javaee-7.0</feature>
</featureManager>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<library id="sharedLibs">
<fileset dir="/work/sharedlibs" includes="*.jar"/>
<folder dir="/work" />
</library>
<resourceAdapter
autoStart="true"
id="eciResourceAdapter"
location="/work/cicseci.rar">
</resourceAdapter>
<connectionFactory id="CTGDV06" jndiName="jca/CTGDV06" >
<properties.eciResourceAdapter.javax.resource.cci.ConnectionFactory
connectionUrl="tcp://*******"
serverName="*******"
userName="*******"
portNumber="2006"
/>
</connectionFactory>
<application type="ear" id="app" location="app.ear" name="app">
<classloader
commonLibraryRef="sharedLibs"
classProviderRef="eciResourceAdapter" />
</application>
</server>
in ibm-web-bnd.xml :
<resource-ref name="cicsjca" binding-name="jca/CTGDV06"></resource-ref>
in web.xml :
<resource-ref id="ResourceRef_Cics_Jca">
<description>Acces CICS</description>
<res-ref-name>cicsjca</res-ref-name>
<res-type>javax.resource.cci.ConnectionFactory</res-type>
<res-auth>Application</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
Startup is Ok, but access to JCA fail with :
java.lang.Exception: Lookup for java:comp/env/cicsjca failed. Exception: javax.naming.NamingException: CWNEN1001E: The object referenced by the java:comp/env/cicsjca JNDI name could not be instantiated. If the reference name maps to a JNDI name in the deployment descriptor bindings for the application performing the JNDI lookup, make sure that the JNDI name mapping in the deployment descriptor binding is correct. If the JNDI name mapping is correct, make sure the target resource can be resolved with the specified name relative to the default initial context.
[Root exception is com.ibm.wsspi.injectionengine.InjectionException: CWNEN0030E: The server was unable to obtain an object instance for the java:comp/env/cicsjca reference. The exception message was: CWNEN1003E: The server was unable to find the jca/CTGDV06 binding with the javax.resource.cci.ConnectionFactory type for the java:comp/env/cicsjca reference.]
I don't understand what's wrong with this setup, any help would be apreciated !
The correct configuration depends on how many connection factory implementations are provided by the resource adapter.
If the resource adapter provides only a single connection factory (which is commonly the case for many resource adapters), then configuration would be:
<connectionFactory id="CTGDV06" jndiName="jca/CTGDV06" >
<properties.eciResourceAdapter
connectionUrl="tcp://*******"
serverName="*******"
userName="*******"
portNumber="2006"
/>
</connectionFactory>
Full detail on how to specify configuration for JCA resource adapters in Liberty can be found here in the knowledge center.

IBM Liberty client certificate authentication

I am trying to configure my liberty server for client certificate authentication by these steps:
http://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_sec_clientcert.html
My liberty configuration:
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
<feature>restConnector-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>monitor-1.0</feature>
<feature>jsp-2.3</feature>
<feature>adminCenter-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9081"
httpsPort="9444" />
<application id="Sample" name="Sample" type="war" location="Sample.war"/>
<keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
<keyStore id="defaultTrustStore" location="truststore.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthenticationSupported="true"/>
<webAppSecurity allowFailOverToBasicAuth="true" />
<auth-method>CLIENT-CERT</auth-method>
<basicRegistry id="basic">
<user identity="CN=Admin,O=myOrg,C=country" name="Admin" password="admin" />-->
</basicRegistry>
<administrator-role>
<user>Admin</user>
</administrator-role>
</server>
From java client I get:
CWWKX0229E: There was a problem with the user credentials provided. The server responded with code 401 and message 'Unauthorized'
I think my user mapping is wrong. Can somebody give me an example how to map client certificate with the liberty user?
Is the intent to login to web application using the certificate rather than user/password? You need to define the CLIENT-CERT in web.xml. You will have to install the certificate on your browser from where application will be accesses. Also, Liberty server will need to have the signer certificate in the trust store. You may also define certificate filter if the certificate DN name does match exactly to registry user.
Below command can be added to server.xml so that basic authentication can be use if client certificate authentication did not succeed.
You may also want to confirm that your application does work with basic authentication.
More details at:
http://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_clientcert.html

Resources