JNDI over SSL UnknownHostException - https

Hi everyone and thanks to anyone reading this post.
I've been struggling a few days, trying to change the communication of my client-server JNDI lookup from http to https.
I'm using JBoss 4.2.0 and upgrading it is currently not an option.
What I did in the client is to change the url as advised in the jboss manual.
System.setProperty("javax.net.ssl.trustStore", "C:/Program Files (x86)/localhost.truststore");
System.setProperty("javax.net.ssl.trustStoreType", "JKS");
System.setProperty("javax.net.ssl.trustStorePassword", "opensource");
System.setProperty(HTTPSClientInvoker.IGNORE_HTTPS_HOST,"true");
jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.HttpNamingContextFactory");
jndiProperties.put(Context.PROVIDER_URL, "https://"+serverIp+":8443/invoker/JNDIFactory"
final Context context = new InitialContext(jndiProperties);
T facade = (T) context.lookup(facadeName);
return facade;
previously the url was:
jndiProperties.put(Context.PROVIDER_URL, "jnp://"+serverIp+":1099");
and the contextfactory was
jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
the serverIp is the real server the user enters. I don't want to use a network host name since I don't have a dns server in my server.
I didn't have any problem with the jnp url and the jnp naming factory, but when I try the access over SSL, the Jboss code in HTTPNamingContextFactory.getNamingServer(URL providerURL) overrides my ip with a host name the client doesn't recognize.
It does some marshalling from the server and takes the first host entry which is defined in my linux server hosts file.
The HttpInvokerProxy does that eventually by writing the externalURLValue from the server, which is:
"https://myhost:8443/invoker/JMXInvokerServlet".
My client doesn't know what to do with this "myhost", it needs the real ip of the server, which I initially provide in the JNDI properties in the client.
The only thing I was able to do is edit the hosts file in the client windows system hosts file, and add an entry myhosts with the real ip, but this is of course
not a solution for a production environment, since I can't ask my user to make such modifications.
So I get this exception in the client:
javax.naming.CommunicationException: Operation failed [Root exception is java.rmi.ServerException: IOE; nested exception is:
java.net.UnknownHostException: myhost
My server's deploy/http-invoker.sar/META-INF/jboss-service.xml is below, if I try to set useHostName to false, then the localhost ip would be used
127.0.0.1 instead of myhost, which isn't any helpful, since I just need to keep my initially provided ip.
I'm a newbee to JBoss so I will appreciate any answer as to what am I doing wrong, and how can I resolve this without upgrade of JBOSS.
Thank You
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE server>
<!-- $Id: jboss-service.xml 26202 2004-11-29 16:54:36Z starksm $ -->
<server>
<!-- The HTTP invoker service configration
-->
<mbean code="org.jboss.invocation.http.server.HttpInvoker"
name="jboss:service=invoker,type=https">
<!-- Use a URL of the form http://<hostname>:8080/invoker/EJBInvokerServlet
where <hostname> is InetAddress.getHostname value on which the server
is running.
-->
<attribute name="InvokerURLPrefix">https://</attribute>
<attribute name="InvokerURLSuffix">:${https.port}/invoker/EJBInvokerServlet</attribute>
<attribute name="UseHostName">true</attribute>
</mbean>
<!-- Expose the Naming service interface via HTTP -->
<mbean code="org.jboss.invocation.http.server.HttpProxyFactory"
name="jboss:service=invoker,type=http,target=Naming">
<!-- The Naming service we are proxying -->
<attribute name="InvokerName">jboss:service=Naming</attribute>
<!-- Compose the invoker URL from the cluster node address -->
<attribute name="InvokerURLPrefix">https://</attribute>
<attribute name="InvokerURLSuffix">:${https.port}/invoker/JMXInvokerServlet</attribute>
<attribute name="UseHostName">true</attribute>
<attribute name="ExportedInterface">org.jnp.interfaces.Naming</attribute>
<attribute name="JndiName"></attribute>
<attribute name="ClientInterceptors">
<interceptors>
<interceptor>org.jboss.proxy.ClientMethodInterceptor</interceptor>
<interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
<interceptor>org.jboss.naming.interceptors.ExceptionInterceptor</interceptor>
<interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
</interceptors>
</attribute>
</mbean>
<!-- Expose the Naming service interface via clustered HTTP. This maps
to the ReadOnlyJNDIFactory servlet URL
-->
<mbean code="org.jboss.invocation.http.server.HttpProxyFactory"
name="jboss:service=invoker,type=http,target=Naming,readonly=true">
<attribute name="InvokerName">jboss:service=Naming</attribute>
<attribute name="InvokerURLPrefix">http://</attribute>
<attribute name="InvokerURLSuffix">:8080/invoker/readonly/JMXInvokerServlet</attribute>
<attribute name="UseHostName">true</attribute>
<attribute name="ExportedInterface">org.jnp.interfaces.Naming</attribute>
<attribute name="JndiName"></attribute>
<attribute name="ClientInterceptors">
<interceptors>
<interceptor>org.jboss.proxy.ClientMethodInterceptor</interceptor>
<interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
<interceptor>org.jboss.naming.interceptors.ExceptionInterceptor</interceptor>
<interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
</interceptors>
</attribute>
</mbean>
</server>

Have you check the values of the properties java.rmi.server.hostname, tomcat.proxyName and tomcat.sslProxyName? (You can check their values using the SystemProperties MBean in the JMXConsole).
I don't know from where gets the server name the HTTP Inovker Servlet, but it might use one of those properties. Try to define them as the ip you want it to use, but be careful because it could change the behaviour of other services/applications.

Related

How to secure a camel cxf endpoint (https) in FUSE 7.6?

We have been using camel-cxf service endpoints for multiple applications. They works well. Recently we have a need to secure these service endpoints. Therefore, we are adding <httpu:engine-factory> configuration to the camel-context.xml.
We also configured FUSE 7.6 server to have the secure port at 8183 by setting
[FUSE 7.6 Install]/etc/org.ops4j.pax.web.cfg file:
org.osgi.service.http.port = 8181
org.osgi.service.http.port.secure = 8183
org.ops4j.pax.web.config.file = ${karaf.etc}/undertow.xml
org.ops4j.pax.web.session.cookie.httpOnly = false
org.ops4j.pax.web.session.cookie.secure = true
[FUSE 7.6 Install]/etc/undertow.xml is correctly configured to point
to right keystore and truststore, etc.
Following is the camel-context.xml:
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:cxf="http://camel.apache.org/schema/blueprint/cxf"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:httpu="http://cxf.apache.org/transports/http-undertow/configuration"
xsi:schemaLocation="
http://www.osgi.org/xmlns/blueprint/v1.0.0
https://osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/transports/http-undertow/configuration
http://cxf.apache.org/schemas/configuration/http-undertow.xsd">
<bean class="com.mycom.myapp.CamelRequestProcessor" id="myProcessor"/>
<cxf:cxfEndpoint address="{{MY_HOST}}:8185{{MY_SVC_ADDRESS}}"
bus="auditBus" id="myWebServiceEndpoint"
serviceClass="com.mycom.myapp.MyWebServiceEndpoint" wsdlURL="wsdl/mySvc.wsdl"/>
<httpu:engine-factory bus="cxf">
<httpu:engine port="8185">
<httpu:tlsServerParameters secureSocketProtocol="$(MY_SECURE_SOCKET_PROTOCOL)">
<sec:keyManagers keyPassword="$(MY_KEY_PASSWORD)">
<sec:keyStore file="$(MY_KEYSTORE)" password="$(MY_KEYSTORE_PASSWORD)" type="JKS"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore file="$(MY_TRUSTSTORE)" password="$(MY_TRUSTSTORE_PASSWORD)" type="JKS"/>
</sec:trustManagers>
<sec:clientAuthentication required="true" want="true"/>
</httpu:tlsServerParameters>
</httpu:engine>
</httpu:engine-factory>
<camelContext id="_myCamelContext" useBlueprintPropertyResolver="true" errorHandlerRef="myErrorHandler">
<route id="_firstRuote">
<from id="_from" uri="cxf:bean:myWebServiceEndpoint"/>
<bean id="_processor" method="process" ref="myProcessor"/>
<to id="_to4" uri="direct:otherEndpoints"/>
</route>
</camelContext>
</blueprint>
After we add <httpu:engine-factory/>section, the code is built and deployed to FUSE 7.6. Everything goes well. There is no error in the log, and the bundle starts normally. When I inspected the service at https://myhost:8183/cxf, the service is displayed in browser
Endpoint address: https://my host:8185/cxf/MyWebServiceEndpoint/<br>
WSDL : {namespace}MyWebServiceEndpoint <--This is a link-->
However, when I click the WSDL link, it spins a few seconds, then displays "Unable to connect". It should display the WSDL file.
The browser address bar does point to the correct URL
https://myhost:8185/cxf/MyWebServiceEndpoint/?wsdl
Any help is greatly appreciated.
Your camel-cxf endpoint has
<sec:clientAuthentication required="true" want="true"/>
Which means your client(in this case a browser to load the wsdl) also needs to provide the private key(keystore).
Did you import truststore/keystore that you used for the camel-cxf endpoint into your browser?
The issue is resolved. The undertow configuration has to specify host as the following, which makes the port accessible:
<httpu:engine host="0.0.0.0" port="8185">

Configuring Liberty with httpProxyRedirect

I am attempting to redirect traffic on insecure port to secure port as described here:
https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.liberty.autogen.core.doc/ae/rwlp_config_httpProxyRedirect.html
Instead both ports are available and I see nothing in the logs. It's as if the httpProxyRedirect isn't being configured at all.
<?xml version="1.0" encoding="UTF-8"?>
<server description="CAST Liberty Server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
</featureManager>
<application id="app" context-root="/" type="war" location="${war.name}">
<classloader apiTypeVisibility="spec, ibm-api, api, third-party" />
</application>
<httpProxyRedirect id="defaultHttpProxyRedirect" httpPort="${http.port}" httpsPort="${https.port}" />
<keyStore id="defaultKeyStore" password="pass" />
<httpEndpoint host="*" httpPort="${http.port}" httpsPort="${https.port}" id="defaultHttpEndpoint" />
<applicationMonitor updateTrigger="mbean" />
</server>
Most likely, you are missing the security-constraints in the web.xml. This configuration tells the server which URLs need to be accessed over a secure transport and then re-directs qualifying requests from the non-secure port to the secure port. This tutorial may help: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html
Also, keep in mind that the httpProxyRedirect configuration in the server.xml is intended for redirecting when you have a proxy server in front of your application server. For example, you may have your proxy server on the main "www.ibm.com" host - listening on HTTP port 80 and HTTPS port 443. But that host may route some requests to your Liberty application server on some other host (like "app1host.internal.ibm.com") that listens on different ports (i.e. HTTP port 9080 and HTTPS port 9443). In that case, just using the security-constraints in the web.xml would attempt to redirect the client request on the Liberty server from 9080 to 9443 but on the www.ibm.com host - where nothing is listening on those ports. In this case, you should configure httpProxyRedirect like this:
<httpProxyRedirect httpPort="80" httpsPort="443" host="www.ibm.com" />
With the configuration, a client HTTP request to a secured URL will get redirected to www.ibm.com on port 443, where the proxy server will forward the request to app1host.internal.ibm.com port 9443.
Hope this helps,
Andy
This is the security constraint that i am using in my web.xml and it works well for both Tomcat and IBM Websphere 8.5.5.15:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Note: make sure that you put it after your <servlet-mapping>.

Unable to use JCA CICS resource with IBM WebSphere Application Server Liberty Profile

I'm trying to setup WLP for an existing EAR application.
This setup works fine with WAS 9 traditional.
The problem is the JCA CICS Resource Adapter call.
The server.xml :
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>javaee-7.0</feature>
</featureManager>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<library id="sharedLibs">
<fileset dir="/work/sharedlibs" includes="*.jar"/>
<folder dir="/work" />
</library>
<resourceAdapter
autoStart="true"
id="eciResourceAdapter"
location="/work/cicseci.rar">
</resourceAdapter>
<connectionFactory id="CTGDV06" jndiName="jca/CTGDV06" >
<properties.eciResourceAdapter.javax.resource.cci.ConnectionFactory
connectionUrl="tcp://*******"
serverName="*******"
userName="*******"
portNumber="2006"
/>
</connectionFactory>
<application type="ear" id="app" location="app.ear" name="app">
<classloader
commonLibraryRef="sharedLibs"
classProviderRef="eciResourceAdapter" />
</application>
</server>
in ibm-web-bnd.xml :
<resource-ref name="cicsjca" binding-name="jca/CTGDV06"></resource-ref>
in web.xml :
<resource-ref id="ResourceRef_Cics_Jca">
<description>Acces CICS</description>
<res-ref-name>cicsjca</res-ref-name>
<res-type>javax.resource.cci.ConnectionFactory</res-type>
<res-auth>Application</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
Startup is Ok, but access to JCA fail with :
java.lang.Exception: Lookup for java:comp/env/cicsjca failed. Exception: javax.naming.NamingException: CWNEN1001E: The object referenced by the java:comp/env/cicsjca JNDI name could not be instantiated. If the reference name maps to a JNDI name in the deployment descriptor bindings for the application performing the JNDI lookup, make sure that the JNDI name mapping in the deployment descriptor binding is correct. If the JNDI name mapping is correct, make sure the target resource can be resolved with the specified name relative to the default initial context.
[Root exception is com.ibm.wsspi.injectionengine.InjectionException: CWNEN0030E: The server was unable to obtain an object instance for the java:comp/env/cicsjca reference. The exception message was: CWNEN1003E: The server was unable to find the jca/CTGDV06 binding with the javax.resource.cci.ConnectionFactory type for the java:comp/env/cicsjca reference.]
I don't understand what's wrong with this setup, any help would be apreciated !
The correct configuration depends on how many connection factory implementations are provided by the resource adapter.
If the resource adapter provides only a single connection factory (which is commonly the case for many resource adapters), then configuration would be:
<connectionFactory id="CTGDV06" jndiName="jca/CTGDV06" >
<properties.eciResourceAdapter
connectionUrl="tcp://*******"
serverName="*******"
userName="*******"
portNumber="2006"
/>
</connectionFactory>
Full detail on how to specify configuration for JCA resource adapters in Liberty can be found here in the knowledge center.

IBM Websphere Liberty Profile:How to map Public IP Address in Websphere

I am trying to map my server public ip addresss in Websphere LP server.xml file but when i tried to access it from outside i am getting a connection error. I tried giving host="localhost" and tried to access from server itself,it is working fine.
Is there anything i need to configure in Websphere LP to access it from outside.
Server.xml file
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>jsp-2.2</feature>
<feature>localConnector-1.0</feature>
</featureManager>
<httpEndpoint host="*" httpPort="8007" httpsPort="9443" id="defaultHttpEndpoint"/>
<applicationMonitor updateTrigger="mbean"/>
<library id="worklight-6.0.0">
<fileset dir="C:\IBM\Liberty\usr\shared\resources" includes="worklight-jee-library-6.0.0.jar"/>
</library>
<library id="apps-common">
<fileset dir="C:\IBM\Liberty\usr\shared\resources" includes="org.hsqldb.hsqldb_2.2.5.jar"/>
</library>
<application context-root="/DemoApp" id="DemoApplication" location="DemoApplication.war" name="DemoApplication" type="war">
<classloader commonLibraryRef="worklight-6.0.0,apps-common"/>
</application>
</server>
Any help is appreciated.
As per the InfoCenter document for the httpEndpoint configuration element, here: http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.wlp.doc/autodita/rwlp_metatype_4ic.html?resultof=%22%68%74%74%70%65%6e%64%70%6f%69%6e%74%22%20#mtFile121
A hostname of * will bind to all available network interfaces - you do not need to do anything extra on the Liberty side, which I believe answers your question.
Setting the hostname to 'localhost' will mean the http endpoint is only accessible from your machine.
Using the configuration as supplied (hostName of *), this should work remotely - so it is likely a firewall issue.
You can check the /servers/yourServer/logs/messages.log file to verify which interfaces your endpoint is binding to - look for a message of the form
WWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host localhost (IPv4: 127.0.0.1) port 9080.

Spring deployment-level configuration

When I wrote Java EE apps, I used JBoss Datasources to control which databases the deployment used. E.g. the dev versions would use a throwaway hibernate db, the ref and ops would use stable MySQL deployments. I also used MBeans to configure various other services and rules.
Now that I'm using Spring, I'd like the same functionality - deploy the same code, but with different configuration. Crucially, I'd also like Unit Tests to still run with stub services. My question is this - is there a way, in JBoss, to inject configuration with files which live outside of the WAR/EAR, and also include these files in test resources.
It is possible to add objects into the JNDI context by placing a file named xxx-service.xml into jboss's deploy directory. The app could then lookup the values via JNDI. In the example below the string "development" is added at java:/modes/deployment. To use JNDI in your unit tests use the org.springframework.mock.jndi package.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE server PUBLIC "-//JBoss//DTD MBean Service 4.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd">
<server>
<mbean code="org.jboss.naming.JNDIBindingServiceMgr"
name="c3po.naming:service=jndi-bindings">
<attribute name="BindingsConfig" serialDataType="jbxb">
<jndi:bindings
xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jndi="urn:jboss:jndi-binding-service:1.0"
xs:schemaLocation="urn:jboss:jndi-binding-service:1.0 resource:jndi-binding-service_1_0.xsd"
>
<jndi:binding name="java:/modes/deployment">
<jndi:value type="java.lang.String">development</jndi:value>
</jndi:binding>
<jndi:binding name="java:/sites/abc">
<jndi:value type="java.lang.String">dev.site.example.com</jndi:value>
</jndi:binding>
<!-- Examples:
<jndi:binding name="urls/jboss-home">
<jndi:value type="java.net.URL">http://www.jboss.org</jndi:value>
</jndi:binding>
<jndi:binding name="hosts/localhost">
<jndi:value editor="org.jboss.util.propertyeditor.InetAddressEditor">
127.0.0.1
</jndi:value>
</jndi:binding>
<jndi:binding name="maps/testProps">
<java:properties xmlns:java="urn:jboss:java-properties"
xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
xs:schemaLocation="urn:jboss:java-properties resource:java-properties_1_0.xsd">
<java:property>
<java:key>key1</java:key>
<java:value>value1</java:value>
</java:property>
<java:property>
<java:key>key2</java:key>
<java:value>value2</java:value>
</java:property>
</java:properties>
</jndi:binding>
-->
</jndi:bindings>
</attribute>
<depends>jboss:service=Naming</depends>
</mbean>
</server>

Resources